Forum Discussion

XPaulo's avatar
XPaulo
Copper Contributor
Jan 17, 2021

ASR in Intune for "Block persistence through WMI event subscription"

Hello all,   It seems that to address the "Block persistence through WMI event subscription", there is nothing in the Intune GUI that you can check/enable. You need to use an Administrative templat...
MMelkersen_MVP's avatar
MMelkersen_MVP
Brass Contributor
Jan 20, 2021

XPaulo 

Do you have other ASR rules applied then you might look at this trick:
https://blog.mindcore.dk/2020/12/how-i-manage-my-device-from-endpoint.html

braedachau's avatar
braedachau
Brass Contributor
Jan 20, 2021

MMelkersen_MVP 

 

Okay having a look,

 

Recommendation 11,12 and 13 via ASR in Endpoint manager

Recommendation 14 implemented via PowerShell script iaw our discussions, Windows devices must be managed by Intune either registered or joined, and must be MDM not MAM.

Recommendation 14 - interesting solution - shall investigate your solution as blogged.

Recommendation 15, 16 doesn't appear in my list of "global" recommendations so its already managed

Recommendation 17, 18 exist but I'm not pushing this as I have MFA (Ill get to the golden ticket problem)

Recommendation 19 - nope doesn't exist - so managed.

Recommendation 20 - I don't agree with and that's domain, public and private - end users should know IMHO

 

 

I have 53 recommendations in total over 7 Windows 10 test devices one of which is a dud.  I changed the name before a restart and ended up with a bullcrap entry that pulls my score down.  30 days from now it should clear itself (I actually hate this - in that you cant delete obsolete or renamed devices), and then Ill push it back up to 180 days.

 

I run Sentinel.  This was the solution that Microsoft used to discover the SolarWinds debacle (biggest hack to date).  I have also read the Fireeye post report as well including the CISA alert.  I also have MCSA enabled and this also tells me a great deal.  

 

At best I can get my security recommendations down to 16 on joined machines, 19 on registered and then I have my bogus entry and as of writing I am getting new reports on Chrome browser.

 

My gut feeling - I can never get this to zero as my hardware is to old, and Microsoft keep upping the ante as they should based on what they see across a billion devices.

 

If you read this post

 

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

 

and can implement it you are doing well, then there are these

 

https://github.com/CrowdStrike/CRT

 

https://github.com/T0pCyber/hawk

 

https://github.com/fireeye/Mandiant-Azure-AD-Investigator

 

https://github.com/cisagov/Sparrow

 

I am not exactly sure what you are trying to achieve.  Perfection, not going to happen, to many factors involved and way to many seriously smart and over resourced organizations trying to find a way in.

 

I read a post somewhere that basically says - assume you are going to be breached.  Eventually you will be but then how long does it take you to realize it, and close the door.

 

I tell you one thing, this is the most engaging conversation I have had on this forum so if you feel like continuing to share please keep replying.  Remember though I am a amateur, I don't have certifications yet that confirm my love of this content.

 

I am also on LinkedIn, my profile is here.  Feel free if you think I am worthy to add me to your list.

The fact is I believe we have the same goals and you might teach me a thing or two, and we can not upset the Microsoft moderator by keep deviating from our posts.

 

https://www.linkedin.com/in/leon-scott-177bb113a/

 

Make sure you tell me its you.

 

Sincerely

Leon Scott.

 

 

 

Resources