Windows Defender, More than just Antivirus – Part 1

Due to my professional activity as a Cyber Security Consultant, I regularly speak with customers about Windows Defender and find that many are not fully aware of all the features and capabilities that Windows Defender offers. Also, when reviewing existing implementations, I’ve noticed a pattern of some common issues. I guess the blog post title ‘Windows Defender, more than just Antivirus’ says it all. The objective of today’s blog post is to provide you with Read More …

Microsoft Defender ATP – Live Response

Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings. What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions Read More …

Data Collection Tier in Azure Security Center

Within the Azure Security Center, Security Policy node, you can select a workspace and there define the data collection configuration for security events. All Events Common Minimal None More details about the Azure Data Collection and the data collection tier can be found here. The page also has a list of all the Event IDs that are being collected within each tier. To better understand the exact meaning of each Event ID, I’ve created the Read More …

Collecting NetTcpConnection and Process information with PowerShell

if you need information on active TCP connections, you probably start with the netstat command When using the -b or -o parameter netstat will also list the executable involved in creating the process respectively the owing Process ID. The output then looks as following. In PowerShell we can use Get-NetTCPConnection to retrieve TCP connection information. When suspecting that something malicious is running on a device, I look at the TCP connections and want to know Read More …

Exploring Microsoft Security Update information with PowerShell

Nowadays regular deployment of security updates is a must, whether at home or within the enterprise. If you are responsible to keep systems up to date you deploy the latest updates as soon as possible.  But it is equally important to understand the vulnerabilities being addressed by these updates. The Microsoft Security Update Guide allows you to find detailed information about security updates. Go to https://portal.msrc.microsoft.com/en-us/ and select “Go to the security update Guide” Next Read More …

How to check if Control Flow Guard is enabled

How to check if Control Flow Guard is enabled Control Flow Guard helps mitigate exploits that are based on flow between code locations in memory. Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. So how to check if an Application is Control Flow Guard is enabled? For my own testing purposes I created two executables one called ConsoleApplication1.exe that Read More …

PowerShell Script – Get-IscMSSecBulletinInfo

Hey there, the Internet Storm Center recently extended their Rest API with some features for Microsoft Patch Data. So where there is a REST API, there’s an opportunity for a PowerShell Script.  The Get-IscMSSecBulletinInfo can be found here: https://github.com/alexverboon/posh/blob/master/Security/Get-IscMSSecBulletinInfo.ps1 Cheers /Alex

MBSA 2.3 Preview Release Available

Based on a statement made by Microsoft in the August 2012 security bulletin, I wrote a short blog post back in November 2012 that there would be no MBSA version available for Windows 8. But it looks like plans have changed as Microsoft has now released a preview version of MBSA 2.3 that does provide support for Windows 8, Windows 8.1 as well as the new server editions. MBSA 2.3 release adds support for Windows Read More …

How to create a SCCM 2012 SP1 Configuration Baseline with Security Compliance Manager (SCM) 3.0

Most enterprises take advantage of Group Policies to manage security configuration settings across their server and desktop infrastructure. Usually once tested and implemented it’s assumed they get applied correctly. But can we be 100% sure that our clients and servers do actually receive these settings? With the help of the Microsoft Security Compliance Manager 3.0 and SCCM 2012 SP1 we can configure a security baseline to monitor security group policy settings compliance. To do so Read More …

No MBSA for Windows 8 planned

Many companies and individuals use the Microsoft Baseline Security Analyzer (MBSA) to assess the security state of their Windows Clients. But according to a statement from Microsoft in their August 2012 Security Bulletin, there are currently no plans to release an updated version for Windows 8. Q: Will the current version of MBSA support Windows 8? A: No, the current version of MBSA will not support Windows 8 and Microsoft currently has no plans to Read More …