Defender Lab Notes

cc • 17小时前 • 好物分享

This is the post to collect some Notes from a lab practice.

RBAC

1. RBAC

Best practice

Microsoft Defender - System - settings - Endpoints - Permissions - Roles

Device Group

2. Device Group

Microsoft Defender - System - settings - Endpoints - Permissions - Device groups

It will take some time to show the device numbers in the group.

Onboarding

3. Onboarding

Managed by MDE

Managed by Intune

Manually onboarding single device / user.

We can use SCCM, MDE, Intune to push deployment packages to endpoints.

For those orphan devices, there is local script for different OS to be downloaded and installed on them.

Off-boarding

Once onboarded, it will show last report time and will become inactive status after 7 days.

Inactive device

but can't delete it

It will be auto-purged in 6 months.

Command line:

get-mppreference

PS C:/Users/nestorw> Get-MpPreference

AllowDatagramProcessingOnWinServer : False
AllowNetworkProtectionDownLevel : False
AllowNetworkProtectionOnWinServer : False
AllowSwitchToAsyncInspection : False
ApplyDisableNetworkScanningToIOAV : False
AttackSurfaceReductionOnlyExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1...}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-b99e-2ecdc07bfc25,
01443614-CD74-433A-B99E2ECDC07BFC25,
26190899-1602-49e8-8b27-eb1d0a1ce869,
3B576869-A4EC-4529-8536-B80A7769E899...}
AttackSurfaceReductionRules_RuleSpecificExclusions : {N/A: Must be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionAggressiveness : 0
BruteForceProtectionConfiguredState : 0
BruteForceProtectionExclusions : {N/A: Must be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking : False
BruteForceProtectionMaxBlockTime : 0
BruteForceProtectionSkipLearningPeriod : False
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 2
CloudExtendedTimeout : 50
ComputerID : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications : {N/A: Must be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders : {N/A: Must be an administrator to view default protected
folders}
ControlledFolderAccessProtectedFolders :
DefinitionUpdatesChannel : 0
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCacheMaintenance : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCoreServiceECSIntegration : False
DisableCoreServiceTelemetry : False
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableDnsOverTcpParsing : False
DisableDnsParsing : False
DisableEmailScanning : False
DisableFtpParsing : False
DisableGradualRelease : False
DisableHttpParsing : False
DisableInboundConnectionFiltering : False
DisableIOAVProtection : False
DisableNetworkProtectionPerfTelemetry : False
DisablePrivacyMode : False
DisableQuicParsing : False
DisableRdpParsing : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : False
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
DisableSmtpParsing : False
DisableSshParsing : False
DisableTamperProtection : False
DisableTlsParsing : False
EnableControlledFolderAccess : 1
EnableConvertWarnToBlock : False
EnableDnsSinkhole : True
EnableEcsConfiguration : False
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 1
EnableUdpReceiveOffload : False
EnableUdpSegmentationOffload : False
EngineUpdatesChannel : 3
ExclusionExtension : {N/A: Must be an administrator to view exclusions}
ExclusionIpAddress : {N/A: Must be an administrator to view exclusions}
ExclusionPath : {N/A: Must be an administrator to view exclusions}
ExclusionProcess : {N/A: Must be an administrator to view exclusions}
ForceUseProxyOnly : False
HideExclusionsFromLocalUsers : True
HighThreatDefaultAction : 0
IntelTDTEnabled :
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
NetworkProtectionReputationMode : 0
OobeEnableRtpAndSigUpdate : False
PerformanceModeStatus : 1
PlatformUpdatesChannel : 3
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 1
QuarantinePurgeItemsAfterDelay : 90
QuickScanIncludeExclusions : 0
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
RemoteEncryptionProtectionAggressiveness : 0
RemoteEncryptionProtectionConfiguredState : 0
RemoteEncryptionProtectionExclusions : {N/A: Must be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime : 0
RemoveScanningThreadPoolCap : False
ReportDynamicSignatureDroppedEvent : False
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleOffset : 120
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SchedulerRandomizationTime : 4
ServiceHealthReportInterval : 60
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SharedSignaturesPathUpdateAtScheduledTimeOnly : False
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 3
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
ThrottleForScheduledScanOnly : True
TrustLabelProtectionStatus : 0
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :

PS C:/Users/nestorw>

Security Policies

Prevention

Features How to Demonstrate

Windows Defender Exploit Guard Attack Surface Reduction Rules Attack Surface Reduction - Microsoft Defender

Windows Defender Exploit Guard Controlled Folder Access Controlled Folder Access - Microsoft Defender

Windows Defender Exploit Guard Network Protection Network Protection - Microsoft Defender

Windows Defender SmartScreen URL Reputation UrlRep - Microsoft Defender

Windows Defender SmartScreen App Reputation AppRep - Microsoft Defender Testground

Microsoft Defender for Endpoint Web Content Filtering Demo (Block SNS & Access to ex. facebook.com)

Microsoft Defender for Endpoint Indicators (URL / IP / Domain)

Demo (Specify URL & Access to the URL)

*There may be up to 2 hours of latency

Attack Surface Reduction (ASR)

ASR Rules in Intune:

URL Filtering, and

Web Content

Anti Virus

Investigation

Actions:

1. isolate device

2. Copilot for security

3. Alerts

4. File submission as indicator

5. virustotal hash

6. Auto invesitigation

Response

Live Response

aaa

No AIR defined Playbook in Defender. But you can define your own playbook in Sentinel.

Reports

Notification

References

Supported Microsoft Defender for Endpoint capabilities by platform
Investigate entities on devices using live response
Microsoft Defender for Endpoint - demonstration scenarios - https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstrations

Next generation protection

Microsoft Defender Antivirus: Your next generation protection
Learn about our approach to fileless threats
Stopping attacks in their tracks through behavioral blocking and containment
EDR in block mode
Firmware level protection with a new Unified Extensible Firmware Interface (UEFI) scanner

版权声明：
作者：cc
链接：https://www.techfm.club/p/158792.html
来源：TechFM
文章版权归作者所有，未经允许请勿转载。

THE END

二维码

搜索内容