https://www.verboon.info/tags/vulnerability/Recent content in Vulnerability on Anything About ITHugoen-usTue, 14 Dec 2021 21:25:13 +0000https://www.verboon.info/2021/12/how-to-detect-the-log4shell-vulnerability-cve-2021-44228-with-microsoft-endpoint-configuration-manager/Tue, 14 Dec 2021 21:25:13 +0000https://www.verboon.info/2021/12/how-to-detect-the-log4shell-vulnerability-cve-2021-44228-with-microsoft-endpoint-configuration-manager/<p>Hello there,</p> <p>These days everyone is trying to identify devices that are vulnerable to the Log4Shell Vulnerability (CVE-2021-44228). If your only systems management tool is Microsoft Endpoint Configuration Manager this blog is for you.</p> <p>You can of course create device collections based on installed programs, however log4j-core.jar files can be found in several locations in and outside the Program files folder. So in order to identify these files, we have to search for them on the entire disk. Here&rsquo;s the script I prepared for that.</p>https://www.verboon.info/2021/07/use-microsoft-endpoint-configuration-manager-to-stop-the-windows-print-spooler-service/Sat, 03 Jul 2021 13:23:55 +0000https://www.verboon.info/2021/07/use-microsoft-endpoint-configuration-manager-to-stop-the-windows-print-spooler-service/<p>Hello there,</p> <p>I guess by now, everyone has heard of the Windows Print Spooler Remote Code Execution Vulnerability (<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527">CVE-2021-34527</a>). At this time Microsoft recommends disabling the Print Spooler service on domain controllers and on servers where it is not needed or to Disable inbound remote printing through Group Policy. In this short blog post I will demonstrate how you can use Microsoft Endpoint Configuration Manager to identify systems where the print spooler service is running and how to stop and disable the service.</p>https://www.verboon.info/2019/11/how-to-generate-a-monthly-defender-atp-threat-and-vulnerability-report/Sun, 10 Nov 2019 23:00:53 +0000https://www.verboon.info/2019/11/how-to-generate-a-monthly-defender-atp-threat-and-vulnerability-report/<p><strong>Update 11 January 2020</strong> - Microsoft has updated the Advanced Hunting Schema, so ComputerName is now <strong>DeviceName</strong> in the queries.</p> <p>Just recently Microsoft <a href="https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Reducing-risk-with-new-Threat-amp-Vulnerability-Management/ba-p/978145">announced</a> that the Defender ATP advanced hunting schema was extended with the following tables:</p> <ul> <li> <p>DeviceTvmSoftwareInventoryVulnerabilities</p> </li> <li> <p>DeviceTvmSoftwareVulnerabilitiesKB</p> </li> <li> <p>DeviceTvmSecureConfigurationAssessment</p> </li> <li> <p>DeviceTvmSecureConfigurationAssessmentKB</p> </li> </ul> <p>This allows us to run advanced hunting queries to find and extract Defender ATP TVM data.</p> <p><a href="https://gist.github.com/alexverboon/d22727c0c8f0d8ca32953b5e2c79ba7f">https://gist.github.com/alexverboon/d22727c0c8f0d8ca32953b5e2c79ba7f</a></p> <p> <img src="images/111019_2300_Howtogenera1.png" alt=""> </p> <p>Now the people in your organization who are responsible for threat and vulnerability management might not necessarily have the knowledge of using the advanced hunting query language or are provided access to the Defender ATP console. So why not just send them a monthly report? Following is how to create a monthly Defender ATP TVM report using advanced hunting and Microsoft Flow.</p>