Shields up! Find CISA Known Exploited Vulns in your Defender for Endpoint data

Alex Mags
This post has some KQL to report CISA Known Exploited Vulns within your environment. First of all, if you have Ukrainian or Russian staff working with you, check-in with them and do what you can to support them and their families at this time. The US Cybersecurity and Infrastructure Security Agency (CISA) leads a national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. They’re maintaining a list of Common Vulnerabilities and Exposures (CVEs) as Known Exploited Vulnerabilities catalog.

Exchange Onlne Email Investigation

Alex Mags
This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment”. There are a few audit logs available to build a timeline of what happened with this email (send,recieve,forward) and who interacted with it: Office365 unified audit log (Activity Explorer/CloudAppEvents table) Defender for Office365/Exchange Online Protection mail flow events Defender for Endpoint (DeviceFileEvents) Mailbox audit logs (mail item accessed events) M365 has a Activity Explorer GUI for exploring activity around files.

KQL for files uploaded to cloud

Alex Mags
This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention. M365 has a Activity Explorer GUI for exploring activity around files. If the files have been classified using Office365 sensitivity labels you can focus on your most sensitive documents. This interface is fine for a demo but you’re unable to save the searches and filters for reuse and you’ll want to filter out ‘normal’ approved activity.

Domestic Wifi for farmhouse

Alex Mags
Visited my brother-in-law’s farmhouse. It was built around 1740, long before the internets, or domestic electricity for that matter! The problem: WiFi didn’t extend far from the internet company’s hub in one corner of the house. This made working from home difficult. The fix: I installed a Powerline Wifi extender. Devices in plug sockets create a layer-2 network using the house mains power cabling. You can then install additional wireless access points in other locations around the house for WiFi and ethernet.

PrintNightmare Discover Print Servers

Alex Mags
CVE-2021-1675 aka PrintNightmare Tl;dr find all servers, with printer published to users in AD, by looking for printerqueue objects. Lots of interest in figuring out which servers offer network printing services due to CVE-2021-1675 aka PrintNightmare. Ideally your org has a well managed print service with DNS aliases to your regional print servers. Or maybe a managed print service over internet? If your print servers are less easy to find try hunting in Active Directory.

Local admin report with Defender for EndPoint

Alex Mags
Securing Windows PCs starts with managing local administator access. Microsoft Defender for Endpoint logs every login and records if it was a local admin. Use the following KQL query in the Advanced Hunting portal to create a report. Use Active Directory Group Policy to manage the local admins that need to be there for support or management tools. Take care with this policy, one setting removes all admins EXCEPT the ones in the GPO.

Bitlocker status report with Defender for EndPoint

Alex Mags
Are all your machines encrypted? If a laptop was lost is the data protected or you’ll need to declare. Microsoft Defender for EndPoint (aka ATP) stores Bitlocker status information. Use the following KQL query in the Advanced Hunting portal. The following KQL was inspired by SecGuru_OTX’s twitter post (below) M365 Advanced Hunting: Detect Bitlocker non-compliant Windows 10 devices with "Encrypt all Bitlocker supported drives" setting. pic.twitter.com/YpcNf6NKxe — CISOwithHoodie (@SecGuru_OTX) June 9, 2021 Find more IT Infrastructure tips at blog.

Ultimate accessory for standing desk

Alex Mags
Like many I’ve been working from home for a while. I use a standing desk and a recent and best accessory purchase is, believe it or not, footware. These are fugly but they’re sooo comfortable! I can stand for longer with this soft footware and its well out of sight of conf call camera 😊. Other bits I’m finding useful for a standing desk setup are: Cable management spine from desk to floor

Assign AzureAD role By AD Security Group

Alex Mags
Using AD security groups to delegate access to AzureAD roles is not supported at the moment. This post offers two workarounds. Permissions to manage Azure AD and Office365 are often assigned via Azure AD Roles. If you have strong access management processes and tooling for on prem Active Directory (access request &approval workflow, joiners & leavers, access reviews & reporting, auditing and alerts) you’ll likely want to reuse these to manage access to Azure AD and Office365.

Auto Configure Git client proxy authentication

Alex Mags
This post has some PowerShell to make Git client work on Windows in corporate environment. Short version Use the Microsoft Credential Manager for Git. Don’t expose passwords in plaintext in Git config or environment variable. The Microsoft Credential Manager will store creds for proxy amd git repo in Windows Credential Manager Git client doesn’t accept domain name in Git config, when you enter creds in Credential Manager change ID to <userID> format Automatically configurge Git client to authenticate with corporate proxy Git client doesn’t support Web Proxy Auto Discovery (WPAD).