Best Practices From the Field - The MDE Cases

Transcript

1. Best Practices From the Field The MDE Cases

2. Alessandro Baggiossi Cloud Solution Architect https://www.linkedin.com/in/alessandrobaggiossi Matteo Bosetto Cloud Solution

   Architect https://www.linkedin.com/in/matteobosetto

3. Agenda

4. MDE Introduction

5. Microsoft Defender XDR Build a unified defense with XDR Cross-domain

   SOC experience Hybrid identities Endpoints and IoT Email and collaboration Cloud apps Data Prevent Reduce attack surface with threat-based configuration recommendations and built-in vulnerability management Protect Automatically contain and remediate compromised assets Detect and respond Use incidents to respond to cross-workload threats from a single portal Speed up response with an experience designed for SOC efficiency Extend Unified APIs and connectors

6. Cyber-kill Chain Cloud apps Services stopped & backups deleted Files

   encrypted on additional hosts Browse to a website Phishing mail Open attachment Click a URL Command & Control User account is compromised Brute force account or use stolen account credentials Attacker compromises a privileged account Domain compromised Attacker exfiltrates sensitive data Attacker collects reconnaissance & configuration data Email Endpoints Identities Workloads Exploitation & Installation External Threats Externally exposed vulnerabilities Microsoft Threat Intelligence Microsoft EASM Defender for Office 365 Defender for Endpoint Defender for IOT (&OT) Defender for Cloud Defender for Identity Defender for Cloud Apps Entra ID Microsoft Defender for Identity Sentinel Microsoft

7. CASE #1 Tamper protection not activated

8. What is Tamper Protection What • Prevents unauthorized changes to

   Defender security settings • Enforced from the MDE cloud, even against local admins Why • Stops attackers from disabling protections after gaining local admin access • Prevents misconfigurations caused by scripts, GPOs, or manual actions • Ensures security posture consistency across all onboarded devices How • Enforced from the Microsoft Defender for Endpoint cloud • Overrides local changes made via registry, PowerShell, GPO, or third-party tools • Applies automatically to all supported devices once enabled at tenant level

9. Scenario • All machines are Windows 10 or Windows 11

   • All machines are onboarded to MDE • Disconnected network • Proxy required for internet connections • Tamper protection enabled at tenant level Prerequisites: • Device Onboarded • AV Version: 4.18.2010.7 • Engine Version: 1.1.17600.5 • Cloud-Delivery protection enabled

10. Prerequisites check AV Platform: 4.18.2010.7 Engine Version: 1.1.17600.5 let tampertable

    = DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2003" and IsApplicable == "1" | extend TamperProtection=case(IsApplicable==0,"N/A",IsCompliant==1,"Active","Disabled") | project DeviceId, TamperProtection; DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-2011" and isnotnull(Context) | extend avdata=parsejson(Context) | extend AVProductVersion = tostring(avdata[0][3]) | extend AVEngine = tostring(avdata[0][1]) | project DeviceId, DeviceName, OSPlatform, AVProductVersion,AVEngine | join tampertable on DeviceId | project-away DeviceId1

11. Prerequisites check AV Platform: 4.18.2010.7 Engine Version: 1.1.17600.5

12. Cloud delivery protection • Helps protect against malware and network

    attacks • Files submission for cloud analysis • Detonation • Big data analysis with Machine learning • Block at first sight (BAFS) • Integrations with MDE • Tamper protection • EDR block mode • IoC https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide

13. Check Cloud Delivery Protection 0x80072ee7 = Network issue MpCmdRun –ValidateMapsConnection

    (Run as administrator) No proxy configuration on Defender AV

14. Proxy configuration MDE Sensor • Winhttp using NETSH • GPO

    Administrative Templates > Windows Components > Data Collection and Preview Builds • Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service • Configure connected user experiences and telemetry Defender AV • Winhttp using NETSH • GPO Administrative Templates > Windows Components > Microsoft Defender Antivirus • Define proxy server for connecting to the network

15. Best Practices Use TVM and Advanced hunting to check misconfiguration

    Enable Tamper protection Configure Proxy on both MDE and MDAV Use MDE Connectivity Analyzer tool Check MDE network requirements

16. CASE #2 The case of the missed autorun detection

17. Scenario • Malevolent Autorun.inf is not blocked on USB devices

    • Microsoft Defender Antivirus is enabled • We suspect USB Device Control is not properly configured

18. Device Control Device control is divided into three capabilities: Printer

    Protection Device installation Removable Storage Access Control

19. Device Control Device control is not responsible for blocking or

    allowing malware on removable devices. Printer Protection Device installation Removable Storage Access Control

20. Exclusions MDE Automation Folder Exclusions MDE Indicators MDAV Exclusions Defender

    for Endpoint Defender Antivirus

21. MDE Indicators IP/URL Indicators File hash indicators Certificate indicators Cloud

    detection engine (MDE) Automated investigation and remediation (AIR) engine (MDE) Microsoft Defender Antivirus (MDAV)
22. None

23. Defender Antivirus Exclusions • Automatic exclusions for server roles on

    Windows Server 2016 and later • Built-in exclusions for operating system files in all versions of Windows • Custom exclusions for files and folders that you specify, if necessary

24. Custom exclusions • Files and folders • Extensions • Processes

    (files open by a process) Exclusions for files, folders, and extensions will be skipped by scheduled scans, on-demand scans, real-time protection and some ASR Rules.

25. Custom exclusions • Files and folders • Extensions • Processes

    (files open by a process) Exclusions for process-opened files won't be scanned by real-time protection and Network Protection. Exclusions for process-opened files are still subject to quick, full, or on-demand antivirus scans.

26. Management Tools Applied and merged using different sources: • Intune

    • System Center Configuration Manager • Group Policy • PowerShell • Manually

27. Policy conflict handling

28. Investigation Path

29. Best Practices Avoid using exclusions as much as possible Define

    multiple exclusions using different tools Using incorrect environment variables as wildcards Exclude known folder locations, file extensions and processes

30. CASE #3 The case of the unblockable website

31. Scenario • Network Protection enabled with custom indicators defined •

    Smart Screen filtering enabled • The website https://www.linkedin.com is blocked on Edge • The website https://www.linkedin.com is not blocked on Chrome

32. The issue

33. Web Protection Custom IOCs Web Threat Protection (WTP) Web Content

    Filtering Network Protection SmartScreen

34. Protection Technologies Network Protection Expand the scope to other processes

    Available on third party OS IP is supported for all three protocols TCP, HTTP, and HTTPS (TLS) Audit or Block Mode Windows Defender SmartScreen Only for Microsoft browser Microsoft Defender Browser Protection Plug-in (optional)

35. Network Protection Activation • Microsoft Defender Antivirus real-time protection is

    enabled • Cloud-delivered protection is active • Platform Update version 4.18.2001.x.x or newer (Unified Agent) • Enabled via PowerShell/GPO/SCCM/Intune • For Windows Servers and Windows Multi-session, there are additional items that you must enable: • AllowNetworkProtectionDownLevel (dword) 1 (hex) • AllowNetworkProtectionOnWinServer (dword) 1 (hex) • EnableNetworkProtection (dword) 1 (hex)

36. Web Threat Protection (WTP) Custom IOCs Web Threat Protection (WTP)

    Web Content Filtering

37. Web Threat Protection (WTP) Custom IOCs Web Threat Protection (WTP)

    Web Content Filtering Stops web threats without a web proxy Protect devices while they are away or on premises Web threats • SmartScreen Intel • Exchange Online Protection

38. Web Content Filtering Custom IOCs Web Threat Protection (WTP) Track

    and regulate access to websites based on their content categories. Support audit/block and device group assignment. Categories: • Adult websites • Legal Liability • High Bandwidth • Leisure • Uncategorized Web Content Filtering

39. Custom IOCs Web Threat Protection (WTP) Web Content Filtering Define

    your own threat intelligence: • Ips • URLs • Domains Configurable actions: Allow > Warn > Block Integrated with Defender for Cloud Apps. Custom IOCs
40. None

41. Order of Precedence 1. Custom indicators (IP/URL, Microsoft Defender for

    Cloud Apps policies) • Allow > Warn > Block 2. Web threats (malware, phish) • SmartScreen Intel, including Exchange Online Protection (EOP) 3. Web Content Filtering (WCF)

42. Investigation Path 1. Verify Network Protection enabled 1. Prerequisites verified

    2. Microsoft Defender Browser Protection Plug-in 3. Verify custom IOCs 4. Verify override logic 5. Verify client health 6. Backend investigation via SR

43. Resolution

44. Resolution

45. Avoid using exclusions as much as possible Enable Smart Screen

    Enable Network Protection Best Practices
46. None

47. MDAV Passive mode I use MDE with third party Antivirus.

    I don’t need to update MDAV… Update KB Description Update for Defender antimalware platform (AmProductVersion) KB4052623 This update adds new features and fixes Security Intelligence updates KB2267602 Security Intelligence Updates/ Signature updates Update for EDR sensor (2012R2/ 2016) KB5005292 Updates and fixes to the EDR sensor that is used by MDE for 2012R2/ 2016 FALSE!!! MDAV must be updated!

48. Device discovery I see the device in the MDE console.

    This device is protected… Check the Onboarding State!!! ✓ Onboarded ✓ Can be onboarded ✓ Unsupported ✓ Insufficient info

49. Security Settings I can’t manage Linux and Windows Server devices

    directly from MDE… FALSE!!! Use the Security Settings

50. Effective Settings I use GPOs, Intune, MDE to configure settings.

    I can’t identify policy conflict. FALSE!!! Use the Effective Settings in MDE

51. Questions? Alessandro Baggiossi https://www.linkedin.com/in/alessandrobaggiossi Matteo Bosetto https://www.linkedin.com/in/matteobosetto

52. This presentation is an evolving document developed collaboratively over time

    and may be updated as needed. It has been prepared for educational and informational purposes only. In the event of any discrepancy between the content of this presentation and official documentation, the official documentation shall take precedence.