Part One
Last updated
Last updated
Adversaries mainly target data on endpoints. Protecting one endpoint is simpler than securing many devices, but it’s challenging because there are so many endpoints to cover.
A common challenge today is securing unmanaged or poorly managed devices, like mobile devices, in enterprises.
Microsoft frequently renames products and services, making it hard to keep track of what’s available.
Microsoft rebranded its antivirus software from Windows Defender to Microsoft Defender, though it's also sometimes called Windows Security.
Microsoft's enterprise security products are mostly renamed as "Defender for ." Microsoft 365 Defender covers user protection, and Defender for Cloud focuses on cloud security.
Microsoft Defender for Cloud is a powerful Azure security tool. Although it can work alone, its real strength lies in its many integrations and additional features. While it may seem like a single product, it actually includes multiple Defender tools within the Defender for Cloud platform.
Microsoft Defender for Cloud is designed for multicloud and hybrid setups, but it also offers extensive features just for Azure.
The photo shows part of the MITRE CTID project, mapping Azure security controls to MITRE ATT&CK. It lists 14 main adversary tactics and highlights ATT&CK techniques relevant to an Azure security control.
Microsoft Defender for Cloud offers many features, with basic security ones being free and enabled for Azure by default. However, it's only active once you open it in the Azure portal. The free features apply to Azure infrastructure, but if you integrate multicloud or hybrid assets, some costs might apply, although secure scoring remains free.
Azure provides basic security features for free, including secure score, security policy tips, and network security assessments through Microsoft Defender for Cloud.
Secure Score: "Defender for Cloud checks your resources for security issues and gives you a score. A higher score means lower risk."
The Secure Score in Microsoft Defender for Cloud gives a helpful security overview. It covers many areas, though not all security controls. Defender for Cloud supports multicloud security, integrating with AWS, GCP, GitHub, Azure DevOps, and hybrid systems. While integrating non-Azure assets costs extra, it provides more than basic security features.
The secure score is based on how assets match security controls in Defender for Cloud policies. Some controls are more important than others, and Azure assigns points to each. The highest score (10 points) is given for enabling MFA, while controlling VM management ports is also highly rated due to its importance in preventing password-based attacks like RDP exploits.
Defender for Cloud offers free security policies and initiatives that provide security recommendations. By default, only Microsoft’s Secure Cloud Benchmark is enabled, but many other prebuilt controls, based on global compliance standards, can be turned on for a subscription.
Defender for Cloud uses Azure Policy to manage security policies, initiatives, and recommendations. These are controlled from the Azure Policy dashboard. You'll notice the terms policy, initiative, and recommendation used clearly and specifically.
A security policy is a rule to monitor or enforce. Initiatives are bigger than policies and manage multiple policies together. They can be applied to subscriptions or management groups. If policies are violated, security recommendations are given for fixing them.
Multicloud security is now a key focus for Microsoft, expanding beyond Azure to include AWS and GCP with the Microsoft Cloud Security Benchmark (MCSB). MCSB uses industry standards like CIS Controls, PCI-DSS, and NIST SP800-53, aligning its security recommendations with these standards.
The MCSB gives security best practices and advice to protect Azure workloads, data, and services, focusing on cloud security with input from Microsoft and industry experts.
Microsoft Defender for Cloud's free features offer some benefits, but most advantages come with the paid "enhanced security features." These features are often extensions of the basic ones but also include standalone tools now managed through the Defender for Cloud portal.
Cloud Security Posture Management is an upgrade to basic features, while Defender for Containers and Defender for Servers are more complete products that integrate well with Defender for Cloud. Some Defender for Cloud features were separate products before Defender for Cloud existed.
Microsoft Defender for Cloud CSPM checks your resources and subscriptions for security issues and shows your security status with a score. A higher score means lower risk.
Cloud Security Explorer offers a visual interface to view data from your multicloud environment, allowing queries to check the security status, with some preloaded queries for easier analysis.
The cloud security graph is analyzed with an attack path algorithm that finds weak spots attackers might exploit and suggests ways to fix them. Microsoft says it considers factors like internet exposure, permissions, and lateral movement to spot potential security risks.
The MCSB provides good security recommendations, but organizations must follow their own compliance standards. Defender for Cloud's Regulatory Compliance Dashboard helps with compliance tasks, covering major standards like PCI, HIPAA, SOC 2, and more. The compliance features are free, but only the Microsoft Cloud Security Benchmark is included by default.
To track standards beyond MCSB, you need to enable Defender for Cloud's enhanced security features. The dashboard shows this, but the guidance still uses old names like Azure Defender and Azure Security Benchmark, and doesn’t clarify that "enabling" refers to advanced features, not the basic free ones.
If more standards are enabled, a gap analysis can show all recommendations. The Regulatory Compliance Dashboard can also generate reports for each standard's compliance if needed.
The dashboard shows how well the organization follows compliance policies. You can check individual policies to find any gaps. It lets you see where noncompliance exists and how many resources are affected. Some controls are automatically checked, but others need manual input to determine if they are followed correctly.
Defender for Cloud's compliance dashboard lets you start fixes directly from it, with Microsoft marking quick fixes for fast security improvements.
Some recommendations may not be fixed quickly and might need extra approval. In these cases, we assign someone to be responsible for review and fixing.
Microsoft still refers to Azure Security Center and Azure Defender in some docs, but these have now been merged into Microsoft Defender for Cloud. A key feature of Defender for Cloud is the Workload Protections dashboard.
Microsoft highlights the numbered components of Defender for Cloud:
Microsoft Defender for Cloud Coverage - Shows eligible resources in your subscription for protection, with an option to upgrade all.
Security Alerts - Notifies you of threats with details and remediation steps. You can also trigger automated responses.
Advanced Protection - Displays the status of advanced protections (VMs, SQL, containers, etc.) and lets you configure them.
Insights - Provides news, alerts, and suggestions on important security issues for your subscription.
Traditional antivirus is nearly obsolete. Although it still exists, its decreasing effectiveness has led most companies to stop selling standalone antivirus software.
Antivirus is just one part of a broader set of security tools called Endpoint Protection Platform (EPP). There isn't a single definition for EPP, and it keeps changing to stay ahead of threats.
A recent change is adding Endpoint Detection and Response (EDR) to Endpoint Protection Platforms (EPP). The key is to check what your EPP offers and identify any gaps that need fixing.
Security pros have criticized basic antivirus for years, even calling it "dead." Some suggest removing it, but I think it's simple—just install it and move on to other tasks.
AV is unlikely to be a hugely significant boon to your approach at catching evil. It is extremely far from perfect, and yet, just deploy it and keep moving.
Section 2 covered network firewalls, but here we focus on endpoint firewalls. They offer similar benefits, with their logging features providing a bigger security advantage than their preventive role.
Standalone desktop firewalls are mostly outdated. It's hard to justify paying extra for them when most organizations already have free options like Windows Defender or firewalls included in their existing security suite.
Since Windows XP SP2, Microsoft has included a firewall, now called Windows Defender Firewall with Advanced Security (WDFAS), in modern Windows OS for better security.
WDFAS is a free, pre-installed firewall that can be managed with Group Policy. It offers network location awareness for different firewall rules on different networks and egress filtering for controlling outbound traffic. It’s a stateful firewall, meaning it tracks connection states rather than checking each packet individually.
WDFAS logs stay local by default, which ties into my frustration with Microsoft's past lack of centralized logging, although they've improved lately.
This course doesn't cover creating a full firewall rulebase, but it's important to understand that WDFAS doesn't block outbound traffic by default. Setting it up correctly is challenging but valuable.
A key issue is poor logging setup, but it's easy to fix. By default, WDFAS logs don’t block or allow connections, but this can be enabled. The log size is limited to 4 MB, which can be increased to 32 MB. There’s no built-in centralized logging, so it's a good idea to configure separate logs for each profile, especially on laptops, since all profiles use the same log file by default (C:\Windows\System32\LogFiles\Firewall\pfirewall.log).
Firewalls have blocked IPs and ports for years, but most host firewalls, like Windows', can also block by application—though this feature is rarely used.
New Windows 10/11 controls use Microsoft's Hyper-V to isolate less trustworthy or sensitive parts of the system. Microsoft Defender Application Guard helps prevent both old and new attacks by isolating hardware, making current attack methods ineffective.
Application Guard improves security by isolating Microsoft Office and Edge, which are commonly targeted apps.
Application Guard in Microsoft Office opens untrusted Word, PowerPoint, and Excel files in a safe, isolated container. This keeps the main system protected if the file is malicious, preventing attackers from accessing your data or credentials.
Application Guard protects Microsoft Edge by isolating untrusted websites in a secure container. As an admin, you define trusted sites, and anything else is considered untrusted. When employees visit untrusted sites, Edge opens them in a safe, isolated environment.
If your organization doesn't require Microsoft Edge, you can use an extension for other browsers like Chrome to integrate with Application Guard. If a user visits a site not on the safelist, it will open in an Isolated Edge instead of Chrome.
Microsoft Defender Application Guard keeps devices safe by opening untrusted websites in a secure version of Edge, preventing any harm if the site is malicious.
The screenshots show the impact of running Edge in Application Guard isolation. Both guarded and unguarded Edge instances run simultaneously. In the Browser Task Manager, the unguarded Edge shows multiple tabs and windows, while the guarded instance is isolated. The PID for the guarded instance is not visible in Task Manager or even in an elevated Process Hacker. Additionally, Application Guard prevents copying and pasting data from the isolated Edge.
Microsoft Defender for Servers offers strong protection for Azure-hosted Windows servers, but also supports Windows and Linux machines across Azure, AWS, GCP, and on-premises, emphasizing its role in multicloud and hybrid environments.
Microsoft Defender for Servers is a security tool that boosts protection, detection, and response for Windows machines. It works with Azure services to monitor and protect servers, while Defender for Cloud displays alerts and fixes in a simple format.
Defender for Servers collects Linux audit logs using auditd, but its threat protection for Linux is weaker than for Windows, especially in Azure environments.
Defender for Servers has two plans: a limited Plan 1 and a full Plan 2. Both plans include Microsoft Defender for Endpoint (MDE), which is a complete EDR tool. With Defender for Servers, MDE’s protection and response features are shown in the Defender for Cloud's Workload Protection Dashboard.
The photo shows how Azure security controls map to MITRE ATT&CK® tactics and techniques, highlighting 14 key adversary tactics and related techniques identified by CTID.
A common security issue is giving internet-accessible hosts too much network access. Adaptive Network Hardening (ANH) in Defender for Servers helps identify and fix overly open access. It's shown in the Workload Protections dashboard. Despite sounding unnecessary, ANH is still needed and useful.
A possible reason for open ports is the default settings in many Marketplace VM deployments. For example, Windows often exposes TCP/3389 (RDP) and Linux TCP/22 (SSH) by default. Exposing these ports doesn’t usually trigger alerts or recommendations, as it's seen as normal, though not ideal.
Many Azure Marketplace VMs expose remote administration ports to the public internet by default. While users should choose secure images, default ones often allow this for ease of use. Despite Microsoft's warnings, this risky setting remains the default for quick deployments.
Adaptive Network Hardening (ANH) gives recommendations and alerts about risky services exposed to the internet, but exposing RDP/SSH alone doesn’t trigger a warning. If remote admin access is needed, we can temporarily allow it through NSG, similar to Just-In-Time (JIT) VM access. JIT simplifies this process and reduces user error, with default settings blocking access. It also allows temporary access and can limit it to specific IP addresses. The "Maximum request time" option sets a time limit for allowed access.
Admins can start the "Request access" process through Defender for Cloud, the VM connect page in Azure Portal, PowerShell, or the Microsoft Defender for Cloud API.
The photo shows a part of the MITRE Engenuity CTID project, mapping Azure security controls to MITRE ATT&CK®. It lists 14 main adversary tactics and highlights the ATT&CK techniques relevant to Azure security controls.
Application control (or whitelisting) has long been a strong security measure, allowing only safe apps to run. However, many organizations found it hard to manage and abandoned it. While it’s easier to use now, challenges and the perception that it's difficult persist.
Defender for Server's Adaptive Application Control automatically creates rules for safe software based on your systems. It tailors these rules to each system, allowing different rules for different system groups.
CTID's Security Stack Mappings explain that AAC allow lists are for Azure workloads, customizable, and based on trusted paths, publishers, and hashes. Security alerts occur when unauthorized applications run with AAC enabled.
The photo shows part of the MITRE CTID project, mapping Azure security controls to MITRE ATT&CK®. It lists 14 main adversary tactics and shows relevant ATT&CK techniques for the Azure control.
ASD explains why EDR is included in the full Mitigation Strategies document:
EDR software constantly logs system activity, helping detect both known and unknown cyber threats. It enables quick investigations, blocks certain network actions, and can isolate compromised devices.
Agent fatigue is real, and deploying another agent across an enterprise can feel overwhelming. However, this one stands out because it focuses on detection and response, not prevention—a rare but valuable feature in cybersecurity.
EDR tools provide huge amounts of data, enabling detailed threat detection but can be overwhelming without careful tuning. Unlike past response tools used only after an attack, EDR now allows faster data gathering and remote actions, supporting quick incident response.
If you don’t have an EDR tool, you can still use other data sources for detecting threats. One overlooked source is the endpoint firewall. Many, like Microsoft, don’t log connections by default, but enabling it—even without blocking connections—provides valuable insights for detection without dedicated tools.
Application control tools are crucial for blocking unknown files from running. But we also need to ask: how did these files get there, are they malicious, and was the block bypassed?
Gartner ranks Defender for Endpoint as a top leader in endpoint protection. They praise it for providing a full set of security tools (EPP, EDR, threat hunting) from one console, and note that it has improved significantly with new features in each Windows 10 update to offer strong, layered security.
Microsoft has combined its Defender tools into one console at security.microsoft.com for unified threat protection, detection, and response across email, identity, and devices.
The new Defender for Endpoint Plan 1 offers a cheaper option with some of the original features.
Defender for Endpoint Plan 1 includes the following capabilities:
"Powerful antivirus and antimalware protection with manual quarantine options, attack prevention, and detailed control over device access. Central management through Microsoft 365 Defender, supporting Windows, macOS, iOS, and Android."
Manual response actions let your security team respond to threats on devices or files. Defender for Endpoint offers actions to handle potentially compromised devices or suspicious files.
Device
Run antivirus scan
Starts a scan for threats; if found, they are usually fixed during the scan.
Device
Isolate device
Disconnects a device from the network but keeps it connected to Defender for Endpoint for monitoring and further action.
File
Stop and quarantine
Stop processes from running and quarantines associated files.
File
Add an indicator to block or allow a file
Block indicators stop executable files from being accessed, while allow indicators let them through.
Losing ASR across all Windows OS is disappointing, but it was mainly useful for technical enterprise clients. With Defender for Endpoint Plan 1, you can protect your devices and apps, reducing your organization's cyberattack risks.
Attack surface reduction rules block or detect risky app behaviors:
Running suspicious files or scripts that download or execute other files, especially if they're hidden or unusual.
When ASR rules trigger, events are logged in the Microsoft-Windows-Windows Defender/Operational log. EventID 5007 notes changes to ASR settings, EventID 1121 logs blocked activities, and EventID 1122 logs triggered rules that aren't set to block.
If you're experienced with modern attacks, you'll understand how Microsoft develops ASR rules, offering detailed info on high-priority and other rules.
Below is a screenshot showing how to configure ASR rules in the Microsoft 365 Defender portal:
Commercial EDR tools like Microsoft Defender for Endpoint have strong features, but their cost and complexity can be a barrier for some organizations.
We have free solutions that can be used temporarily or as a full, effective option while moving toward a commercial product.
Microsoft security advisory "Update to improve Windows command-line auditing" adds:
This update adds a feature to Windows that logs events when a process is created, including the command-line info. These events appear in ID 4688 in the Windows Security log, helping admins troubleshoot and investigate security issues.
Event ID 4688 is useful but can generate a lot of data. Full command-line details, especially from cmd.exe or PowerShell, are essential for detecting threats. Despite the high volume, these events are valuable for SIEM alerts and investigations.
4688 with full command-line auditing can expose sensitive data, like passwords, if passed in commands. Instead of avoiding auditing, update processes to handle potential issues as they arise.
Enabling full command-line logging gives useful data but can create a lot of noise. The goal is to find the important info.
Once logging full command lines, search for the following:
Loooooooooong commands (1,000+ bytes) •
rundll32.exe and cscript.exe
.vbs scripts
Anything launched from a temp folder
Launching PowerShell via cmd.exe
Base64-encoded commands
whoami /priv
vssadmin
sdelete
schtasks and at
net group "Domain Admins" /domain
We'll cover ways to monitor command-line usage during 511.5. For now, here's a quick look at how Meterpreter creates a large PowerShell command with a compressed/base64-encoded function. Without full command-line logging or Sysmon, EventID 4688 will only show powershell.exe running.
PowerShell is widely used by both legitimate users and attackers. Just seeing powershell.exe running isn't enough to tell if it's malicious. Microsoft improved PowerShell logging a lot, especially in version 5.0, making it much better at detecting suspicious activity.
Sysmon updates often (several times a year). Check for the latest version at https://sec511.com/7m. Major updates add new detection methods and Event IDs.
Sysmon 10 added DNS query logs (Event ID 22).
Sysmon 11 introduced file deletion logs (Event ID 23).
Sysmon 12 added clipboard interaction logs (Event ID 24).
Sysmon 13 added process tampering logs (Event ID 25).
This Sysmon update adds a process tampering event that detects when a process image doesn’t match the file or is locked. It helps spot process hollowing and herpaderping. It also fixes some bugs and memory leaks.
1
ProcessCreate
Process Create
2
FileCreateTime
File creation time
3
NetworkConnect
Network connection detected
5
ProcessTerminate
Process terminated
6
DriverLoad
Driver Loaded
7
ImageLoad
Image loaded
8
CreateRemoteThread
CreateRemoteThread detected
9
RawAccessRead
RawAccessRead detected
10
ProcessAccess
Process accessed
11
FileCreate
File created
12
RegistryEvent
Registry object added or deleted
13
RegistryEvent
Registry value set
14
RegistryEvent
Registry object renamed
15
FileCreateStreamHash
File stream created
17
PipeEvent
Named pipe created
18
PipeEvent
Named pipe connected
19
WmiEvent
WmiEventFilter activity detected
20
WmiEvent
WmiEventConsumer activity detected
21
WmiEvent
WmiEventConsumerToFilter activity detected
22
DNSEvent
DNS query detected
24
ClipboardChange
Logs changed clipboard contents
26
FileDeleteDetected
File Deletion
FileDelete is a standout feature, making Sysmon as effective as, or better than, many EDR tools by logging deleted files.
Think carefully before enabling ClipboardChange. Password managers, like LastPass, often copy passwords to the clipboard. Logging these passwords increases security risks by exposing them in more places. Using ClipboardChange could weaken security rather than strengthen it. The authors recommend avoiding it in production unless it’s strictly needed, and even then, test it thoroughly before sending data to a SOC.
ProcessTampering detects files changed after being loaded by the system. This "Herpaderping" method hides malicious code, tricking security tools or the system into running it.
Sysmon v14 introduced EDR-style features, including blocking EXE files in certain folders like "Temp" or "\users."
Sysmon uses traditional hashes (MD5, SHA1, SHA256) and IMPHASH. Traditional hashes change if even a small part of a file changes, which is great for checking file integrity and finding identical files or malware.
If an attacker changes their payload slightly, a traditional hash won’t help. IMPHASH, which uses the order of imported DLL functions, lets us find new, similar samples by the same threat group.
The following event filters exclude drivers with "Microsoft" or "Windows" in the signature:
The following event filter includes traffic sent to port 443:
Sysmon logs loaded files like .EXE, .DLL, and .SYS. Most are signed, like a Microsoft DLL in Taskmgr.exe. But some, like Mimikatz, are unsigned.
DeepBlueHash is a PowerShell tool that submits SHA256 hashes to VirusTotal using an API key. A free key allows 4 queries per minute. It collects hashes from Sysmon events like process creation, driver loads, and image/DLL loads, or from a file.
DeepBlueHash also supports a safelist, which may be generated directly via PowerShell:
Use and understand the Sysinternals Sysmon command.
Configure Sysmon.
Filter Sysmon logging based on:
Processes
Network connections
Driver loading
Image loading
Let's start by Installing Sysmon:
To view a summary of Sysmon logs in PowerShell, let's type:
We can see more details by using "fl" (format list) and paging with "more":
We can also filter based on the Sysmon id, to show only ProcessCreate events (id 1), add "id=1" before the closing bracket in the Get-WinEvent command. We'll use Select-Object -first 1
to display just the first event.
Reconfigure Sysmon to perform the following actions:
Log SHA1 hashes only.
Log DriverLoad, except for drivers with a signature containing "microsoft", "windows", or "sysinternals".
Log ImageLoad, except for images (DLLs) with a signature containing "microsoft", "windows" or "sysinternals".
Disable process termination logging.
Log network connections, but ignore ports 80, 137, and 443.
Log process creation.
Use the SHA1 hash to ignore putty.exe
Load your new Sysmon configuration and verify it is running properly.
Run the command ipconfig /all
First, we'll copy \labs\sysmon-config-basic.txt to \labs\sysmon-config.txt.
Then, let's load this configuration to ensure it works properly:
Let's display the current Sysmon configuration:
Let's start editing the file. It's best to make one change at a time, saving and reloading the configuration after each change. This makes it easier to spot errors.
1) Log SHA1 hashes only.
We need to change these two lines of the configuration:
Change to:
Then we save the file in Notepad and load the updated configuration:
Let's display Sysmon events with ID 1 (ProcessCreate) in a list format:
We can see that processes are logging with SHA1 only.
2) Log DriverLoad, except for drivers with a signature containing "microsoft", "windows", or "sysinternals".
The script already includes "microsoft" and "windows," so just let's add "sysinternals" to that part.
Let's save the file in Notepad and load the updated configuration:
Now, let's check Sysmon events with ID 6 (DriverLoad) for any entries that happened after the initial Sysmon setup.
3) Log ImageLoad, except for images (DLLs) with a signature containing "microsoft", "windows" or "sysinternals".
Let's create a new section for the ImageLoad:
Now, let's save the file in Notepad and load the updated configuration:
Then let's view Sysmon events with id 7 (ImageLoad), and format list output:
4) Disable process termination logging.
The current ProcessTerminate section doesn't need any changes.
Let's check Sysmon events with ID 5 (ProcessTerminate) for any entries that happen after the initial Sysmon setup.
Note: If you use an "include" or "exclude" statement without a filter, it has the opposite effect. For example, the statement below instructs Sysmon to log all “ProcessCreate” events and not to log any “FileCreateTime” events.
Reference: https://www.whatsupgold.com/blog/how-to-tune-windows-system-monitor-sysmon
5) Log network connections, but ignore ports 80, 137, and 443.
Let's edit the NetworkConnect section:
The current section logs ports 443 and 80, ignoring others. We want to exclude ports 137, 80, and 443, and log the rest. We need to change "onmatch" to "exclude" and add a line for DestinationPort.
Let's generate 53/udp traffic to create a log entry:
Next, let's view Sysmon events with ID 3 (NetworkConnect) and display the output as a list:
6) Log process creation, and use the SHA1 hash to ignore putty.exe.
Let's run putty, and then check the SHA1 signatures.
Next, let's copy the SHA1 hash and use it to ignore putty.exe.
Then, we'll load the new config, note the time, open PuTTY, and check Sysmon events with ID 1 (ProcessCreate) in list format.
Finally, let's run ipconfig /all, and verify the command line was logged by Sysmon:
Let's edit our sysmon configuration in notepad:
Then, we'll insert the following section near the end of the file
Next, let's open Chrome, and surf to: https://sec511.com
Now, let's use Get-WinEvent
to view DNS events (id=22), and pipe the output to ogv
(Out-GridView) for an easy way to search and view the events.
Let's click "Add criteria" and choose "Message" to search events by keywords.
Then enter "sec511.com" in the "Message contains" field
It shows the QueryName, the resolved IP address (QueryResult), and the program (Image) that made the query.