Forum Widgets
Latest Discussions
Using Group policy to auto install Security Intelligence Update for Microsoft Defender Antivirus
Hi Guys, I am trying to get a GPO to automatically install the update without user intervention. I have done the following settings but the update won't install. We currently use Fortinet FortiClient but I still want to keep Defender up to date. Any ideas on where i am going wrong? J.
Change tamper protected settings permanently
Hi there, I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring. How do we actually permanently change tamper protected settings?MDE not detecting regsecrets.py from impacket-toolkit
In a recent red-team engagement we got exposed to the regsecrets.py toolkit which made it possible to extract SAM hive without any detection from the MDE. I have tried to use advanced hunting to see if there are any event that would make up for a good custom detection rule but no success yet, please share if you have any queries that works for you. Some information regarding this script: This script is a modification of secretsdump.py that uses a different technique to extract registry secrets (the logic regarding DCSync operations has been removed). It does not write files on the disk and does not perform reg save like operations. This allow recovering the SAM database and the LSA secrets while being less prone to detection by security product. All required keys are accessed using registry queries. To access keys within the SAM and SECURITY hives, the dwOption of BaseRegOpenKey allows passing the REG_OPTION_BACKUP_RESTORE value to disable any ACL checks performed, thus, allowing to access these registry keys normally restricted to the SYSTEM user. Thanks in advance for sharing some experience of detecting this.
Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-pageSecure Score for Devices
Hi, I need to query Defender for Endpoint to get the Secure Score for Devices. I need it in percent, but the "GET https://api.securitycenter.microsoft.com/api/configurationScore" only returns the current achieved points. And I cannot find a method to get the current total achiveable points. Anyone who knows how to get this ? (I have seen there are api's for this in defender for cloud) My second question is for the security center where you have a "Secure Score" that covers all areas. One of the sub categories for the total secure score is "Device", but that category has different "achiveable points" (currently 872 out of 927) than the points that are listed for the "Secure Score for Devices" (currently 949 out of 1004). Anyone knows why these are not in sync ?How to extract vulnerability details from Microsoft Defender?
With the KQL below, I'm able to retrieve only a few details about the vulnerability. DeviceInfo | summarize arg max(Timestamp, DeviceName, OSPlatform, SensorHealthState, OnboardingStatus) by DeviceId join kind inner ( DeviceLogonEvents where ActionType == "LogonSuccess" summarize arg max(Timestamp, AccountName, AccountDomain) by DeviceId extend Owner = strcat(AccountDomain, "\\", AccountName) ) on DeviceId | join kind=inner ( DeviceTvmSoftwareVulnerabilities | project DeviceId, Cveld, SoftwareName, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId OnboardingStatus, Cveld, SoftwareName, RecommendedSecurityUpdate However, I need additional details as below: Environment,OS Version,Vulnerability Name,Apps/Infra,Owner, Risk,CVSS, CVE ID, Solution, Vulnerability links,IP, Port,DNS/NETBIOS NAME, Plugin Output, Synopsis Description, Occurance, Ageing, Region, Plugin ID, Purpose, Exception, Application Is there a way or script (KQL or PowerShell) to retrieve these details from Microsoft Defender?
Defender Onboarding
I have domain joined device. Implementing Defender thru Intune Connector. (Connector Status is on - EDR policy is Deployed correctly) -ASR All Rules in place -AV policy in place 2 Same OS Version Device I tried to Onboard 1 got onboarded & 1 Did not. Not sure why? Also Domain joined 1 Device got on boarded with some issue where Realtime Protection and Behavior monitoring is disabled. Any Solution ? Please Don't Recommend to make any changes to GPO thru Onprem. Help me to resolve issue thru intune.Defender for Endpoint/Identity not logging eventid 4625
During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack. We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option? The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled. Does any users have this experience with Defender is missing pen-test activities?
