Defender Performance Tuning
Defender Deployment Tool
QR Phishing with MDO
How to map AAD Groups to MDE Device Groups
Install MDE with SaltStack
MDI Learning Periods
QR Phishing
Earlier this year some news outlets began to report about increased Phishing that utilized QR codes. This had been discussed as a new threat vector when the COVID pandemic moved restaurants, cafes, and other locations to replace physical menus with digital menus that could be easily accessed from a QR code sticker on your table. Recently, around August/September, more new stories, reports, and industry data have indicated that QR Phishing is becoming more prevalent.
MDE Migration Script
For the last 2-3 years I've been working with customers on migrating to Defender for Endpoint from other AV/FW/EDR solutions. One of the big issues I've seen is there are a lot of checks to see what could prevent Defender from successfully onboarding. In order to make these checks more consistent and faster I decided to create a script to help identify and flag potential migration issues.
CVE-2023-28303 Detection
Recently I had a customer ask about an Advanced Hunting Query that could detect the Microsoft Screen Clipping vulnerability CVE-2023-28303. Some initial testing of the Threat and Vulnerability Management in Advanced Hunting tables this software is not being captured on my test machines. However, there are still some ways we can detect the potential of this vulnerability.
MDE Tamper Protection Forced Values
Recently an issue was raised that a customer had configured their Defender AV policies and then applied Tamper Protection. When they checked the local machine's settings they realized that some values in Defender AV were not consistent with their AV Policy which was unexpected. What was found is an undocumented/vaguely documented action by Tamper Protection.
How to map AAD Groups to MDE Device Groups
I've seen a lot of asks from customer about how they can use Azure AD Groups with MDE Device Groups. Unfortunately, there isn't a direct way to use Azure AD groups with the MDE Device groups, but there is an approach that provides a similar capability.
Announcement - Labs
I've decided to really document and push my Azure Labs so anyone can easily deploy environments for use with testing and learning the various Microsoft Defender products. This labs have been available for a while, but I've now committed some time to documenting and incorporating that information as part of [this site](/labs/).
Install MDE with SaltStack
MDE for Linux has serveral articles about using common deployment tools, but recently I was asked about using SaltStack which was a tool I'm not familiar with and that lacks/lacked official documentation.
Getting started with Defender Attack Surface Reduction - Part 2
In the previous post about ASR adoption, I recommended you enable ALL ASR rules in AUDIT mode. Now we will use the Security Baseline to build an ASR policy that *should* be minimally impactful to your systems and end users.
Getting started with Defender Attack Surface Reduction - Part 1
This post is intended as a starting point for organizations looking to adopt Attack Surface Reduction (ASR) rules. ASR rules can help improve an organization's security, but they can potentially disrupt normal user and application behaviors in certain environments. My recommendation to anyone looking to implement ASR rules is to always start with **Auditing**.
Get started with Defender AV - Part 2
This is the second post on switching to Defender Anti-Virus and using the Security Baselines published in Endpoint Manager to create a good starting point for your Defender AV settings. This post will focus on the settings in the **Security Baseline for Windows 10 and later** and how to create an AV only policy based on these settings.