Resources for Automatic attack disruption
Hi all, because this topic is really HOT, I thought I am sharing a collection of resources with you. Recordings: Microsoft Secure (free registration required): - How XDR defends against ransomware across the entire kill chain with Corina Feuerstein - Ask the Experts: How XDR defends against ransomware across the entire kill chain Ninja Show episode Attack disruption, with Hadar Feldman Ignite announcement: What’s new in SIEM and XDR: Attack disruption and SOC empowerment - Events | Microsoft Learn Blogs: Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender XDR attack disruption in action – Defending against a recent BEC attack Documentation: Configure automatic attack disruption capabilities in Microsoft 365 Defender | Microsoft Learn What do you think about this new and exciting capability? Do you have any questions on how it works that we didn't refer to? If so feel free to start a conversation here! 🙂 Oh and if I missed another resource, let me know too! Heike
Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.com console. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I run Get-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.Ninja Cat Giveaway: Episode 9 | Attack disruption
For this episode, your opportunity to win a plush ninja cat is the following – Explain what attack disruption means and one reason why it is critical to any organization. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Update OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?
OpenSSL
We have the recommendation to update OpenSSL. However, we can not figure out how to actually do this. There seems to be no installed location of OpenSSL so how can we update this? I have found a few posts/comments that have led me to this page New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub but this doesn't actually help you at all. Going to OpenSSL's site for download just gives you a repository of files that don't actually update anything. So what are we supposed to do to get this remediated?THE VIRTUAL NINJA SHOW SEASON 4 RECAP
Did you miss any of the Ninja Show this season? Not to worry! We have assembled a synopsis of each episode highlighting the central focus points established in our discussions. (However, reading the main points are never as good as the real thing... Watch any episode on demand here!) Overview: Episodes 1-5 of this season were part of our first mini-series! Focused on incident response cases, experts from several teams across the Microsoft 365 Defender suite shared their knowledge regarding incident investigations as well as the critical tools and capabilities available to help improve defense in any organization. Episodes 6-8 shifted gears and included content about Microsoft Defender for Cloud Apps, Near real-time custom detection rules in M365D, and new Microsoft Teams protections! Ep 1: Oren Saban kicked off our Incident Response series by sharing IR investigation capabilities in Microsoft 365 Defender. We introduce how to best use the attack story view in the Defender portal, dive into the benefits of alert insights, and provide a guided walkthrough of a specific incident investigation that demonstrates how to pivot on affected entities to confirm nothing is being missed – with a special segment unveiling the updated File Content page (coming soon)! Ep 2: Michael Melone shifts us into an IR investigation of malware. Here we learn the ABC’s (and D!) of IR – a simplistic approach to manage malware incidents effectively. Through Michael’s demo you will also find updated advanced hunting capabilities in Microsoft 365 Defender and get to know the process of connecting alerts to primary incidents, creating a comprehensive view of an attack. Ep 3: Pawel Partyka unveils the impacts of business email compromise incidents (cyberattacks with financial fraud motivation) through an in-depth attack investigation. Takeaways we found critical were: Understanding the complexities of AiTM (adversary in the middle) phishing and Identifying the various connections of an attack story through the threat factors uncovered in Microsoft 365 Defender portal Recommended actions tab in Microsoft 365 Defender to help prevent damage to your assets Pawel’s demo walks through each step of the process extremely diligently. Ep 4 & 5: Corina Feuerstein wraps up our IR focus with a two-part investigation of a ransomware incident. Part 1 defines human-operated ransomware and the numerous phases of impact on an organization. Using a multi-stage incident generated by Microsoft 365 Defender, she shares how attackers use automation and exhibits how automated attack disruption defends at an even faster speed - enabling isolation tactics that prevent them from gaining a larger foothold within the enterprise. We also follow a ransomware playbook to assist during the containment and incident response phase of the attack, showing how to investigate step-by-step, verifying the attack is disrupted and prevent future risks. Part 2 continues our ransomware investigation using advanced hunting KQL queries. We dig into the behaviors and processes of the attack, learn the benefit of adding indicator markers, and make note of the tagging capability to review and connect future incidents. Key takeaways also include learning about remediation procedures, prevention tactics, and professional recommendations to improve security posture. Ep 6: Keith Fleming brings us out of incident investigations and explains the latest updates in Microsoft Defender for Cloud Apps! He first shares the 4 simple steps to deploy this product in your environment to confidently secure your applications and protect your data. Then, our conversation leads into a demonstration of: Connecting SaaS applications to Defender for Cloud Apps and receiving additional insights from these connections Explaining the Activity Log where you can take part in advanced hunting without KQL expertise! Enabling Defender for Endpoint connection and gain rich insights without the use of a proxy. There are so many more valuable resources shared throughout this episode, only matching the constant progress happening in the Defender for Cloud Apps world. Ep 7: Microsoft 365 Defender launched near real-time (NRT) custom detection rules and Christos Ventouris expertly dives into the benefits of this public preview feature. Watch this episode to learn: What custom detection rules are How you can create and modify them to your needs using advanced hunting queries And recognize the positive impact these near real-time rulesets make when it comes to mitigating threats in your organization as quickly as possible Ep 8: Closing out our fourth season are Senior Product Managers Malvika Balaraj and Daniel Mozes! They unveil an added layer of security within the Defender for Office suite, the collaboration and security within Microsoft Teams. Topics of focus are the new features Defender for Office 365 brings to Microsoft Teams. We learn how Microsoft 365 Defender blocks and removes malicious links or files from Teams or SharePoint and the self-reporting capability of files that may be a security risk - allowing a more proactive approach to prevent phishing attacks by educating users on basic security measures. Et voilà! The end of another great season We are extremely grateful to have the opportunity to help minimize learning gaps in the Microsoft Security community through the Virtual Ninja Show – but please help us keep it relevant to your needs! Add a comment including any topics you would like to see us bring forth next season so we can deliver what is helpful to you. Until next time, ninjas!
Block vulnerable applications beta and EUS:Win32/TvmWarn reported in Chrome
Hello, Passing this along for anyone whom it my assist. Due to all the recent Google Chrome vulnerabilities, I signed up for a trial of M365 Defender Vulnerability Management with the option to block vulnerable apps. I decided to block Chrome until users updated their instance. I pushed the latest one via MEM/Intune. Then, later I see all my users have malware - EUS:Win32/TvmWarn reported in Chrome. I uploaded the file to virustotal and nothing was detected. I submitted to https://www.microsoft.com/en-us/wdsi/filesubmission/and the team reported back that no problem was detected. Tonight I scanned my computer again and it was listed as vulnerable. I then removed the "block vulnerable applications" feature from security.microsoft.com, scanned again and my system was clean. The version of Google Chrome and the version of the Defender updates did not change between the two scans. 2022-09-09T23:55:41.314Z DETECTION EUS:Win32/TvmWarn startup:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2022-09-10T02:08:30.888Z Version: Product 4.18.2207.7 Service 4.18.2207.7 Engine 1.1.19600.3 AS 1.375.118.0 AV 1.375.118.0 2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Program Files\Google\Chrome\Application\chrome.exe 2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Users\Public\Desktop\Google Chrome.lnk 2022-09-10T02:09:18.154Z DETECTION EUS:Win32/TvmWarn file:C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Inte
Change service account to avoid cached password in windows registry
Hi , In Microsoft 365 defender > secure score there's a recommendation for me saying "Change service account to avoid cached password in windows registry" , and I can see multiple MSSQL services falling into this recommendations . But the remediation is not very clear , what should I need to do in here ? Thanks ,M365 Defender tells me, that I should Turn on Real Time Protecion
Under Security recommendations in M365 Defender we were told to enable RTP on some Win10 Devices. The following remediation setting is configured over Config Manager Antimalware Policy: Computer Configuration\Administrative Templates\Windows Components\(Windows|Microsoft) Defender Antivirus\Real-time Protection\Turn off real-time protection To one of the following values: Disabled or Not Configured HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\real-time protection DisableRealTimeMonitoring is set to 0 If I check get-mpcomputerstatus I got the following setting: RealTimeProtectionEnabled : False If I check get-mppreference I got the following setting: DisableRealtimeMonitoring : False We have a few tousand clients in our environment, but just a few houndreds have this issue. They all have the same Antimalware Policy. What can I do to solve this?
False positives (A potentially malicious URL click was detected)
Hi For some reason this started happening yesterday, no issues before. We have a email that is sent to user containg there blocked spam emails, the user can then select to delete or release those emails if they where blocked for the wrong reason. Yesterday everytime a user clicks the delete or release button in that email it triggers a Alert for A potentially malicious URL click was detected. Is there anyway to exclude this from triggering an Alert, example if the domain the email comes from is contoso.com can I whitelist this so no Alert is triggered. This started happening yesterday, had it over 2 years no Alerts triggered.
