Forum Discussion

Reza_Ameri-Archived's avatar
Reza_Ameri-Archived
Bronze Contributor
Aug 08, 2020

How to Deal with Undetected Malware?

Hi,   Anti-Malware products like Windows Defender are getting smarter and stronger and it is not easy to find malware which won't be detected by them. In case we face such a case, we will send them...
MichaelJMelone's avatar
MichaelJMelone
Icon for Microsoft rankMicrosoft
Aug 10, 2020

Hi Reza_Ameri-Archived ,

 

On DART, we used a lot of Microsoft Threat Protection \ Defender ATP custom detections paired with response actions to deal with this. Using this approach, you can isolate machines, block files by hash or certificate, run a quick scan, or collect a forensics package.

 

What you're referring to falls more in line with hardening than preventing a 0-day. You can definitely use AppLocker to prevent malware, but it really depends on how it was set up. I'd recommend checking out AaronLocker - a config written by Aaron Margosis some time ago: https://github.com/Microsoft/AaronLocker.

 

Other protections would be attack surface reduction (ASR) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction, exploit protection (sort of like the new EMET) https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection, or Application Guard https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.

 

At the end of the day, what really makes an attack successful (in my opinion) is availability of credentials with widespread administrative authority. Keep tabs on delegations made on the root object of the domain (the domainDns object), user rights (especially on domain controllers), and permissions to the AdminSDHolder object. Its that whole assume breach mentality, and why many customers are moving towards Azure AD joined devices since it decouples identity from authorization, uses strong authentication, and decouples authentication from authorization. Check out the famous Pass the Hash whitepaper for those: https://aka.ms/pth 

 

Last, microservices are the way to go. Avoid having one huge monolithic infrastructure, instead favoring smaller containerized services which only have access to what they need to operate.

 

The other place to keep an eye on is Defender ATP's threat and vulnerability management capability which can identify vulnerable applications, including which applications have an exploit in the wild. This paired with the Threat Analytics dashboard should keep you informed of many of the exploitation-centric threats to your infrastructure.

Reza_Ameri-Archived's avatar
Reza_Ameri-Archived
Bronze Contributor
Aug 11, 2020

Thank you MichaelJMelone for your valuable inputs.

I believe security is more about defense strategy, MD ATP is great but due to certain company policy and licensing issues, it might take some times before approval and get this product running on environment, but when it happens, I believe people who are in charge of cybersecurity could start celebrating and have a easier life.

However, before that we need some defensive measurements in place which you discussed.

  • MichaelJMelone's avatar
    MichaelJMelone
    Icon for Microsoft rankMicrosoft
    Aug 11, 2020

    Totally agree Reza_Ameri-Archived. The mantra I always used to use with my customers is security is not a product, its a technique that can be enabled by product. 

Resources