Captain – IT-Pirate

Summary MDE Incident #ASRmageddon

Captain / 19. January 2023 / 0 Comments / Microsoft 365 Defender

Pirate,

here is more information about the big MDE incident of Friday 13.01.23. #ASRmageddon.

Management Summary:
On Friday, January 13, 2023, some customers running Microsoft Defender for Endpoint (MDE) experienced “false-positive” detections by ASR (Attack Surface Reduction) rules in the context of Office macro blocks after a signature update. These detections led to the deletion of files (ink, exe, etc.). The incorrect detection logic/signature was fixed in Security Intelligence version 1.381.2164.0 (and newer). With this updated version, the problem no longer occurs. For devices that were affected before the fix, the links and exe files must be explicitly restored. For customers who do not configure the ASR rule “Block Win32 API calls from Office macros” to “Block” mode, there is no false positive / “data loss”. 

There are now several good summaries on the general incident, the content sequence, the best detection methods for (still) affected endpoints, and scripts for link recovery.

Spring Microsoft Ignite 2021 – The Future of Cybersecurity

Captain / 2. March 2021 / 0 Comments / Microsoft 365 Defender

I’m thrilled to be speaking again at Microsoft Ignite (spring edition). In fall 2020 I already had the chance to speak about Zero Trust in 2020 in front of a fully packed session. Table Talks in my oppinion are a very smooth and successful way to interact with experts on specific topics all around the globe. That’s why I’m really excited to be nominated to speak with Gokan Ozcifci, Dr. Mike Jankowski-Lorek, Paula Januszkiewicz and Tomas Vileikis about The Future of Cybersecurity.

Microsoft Ignite 2019 – Join my sessions!

Captain / 14. October 2019 / 0 Comments / Microsoft 365 Defender

2019 was already an incredible year. I was allowed to be on stages this year that I would never have dreamed of. Fantastic!

Definitely an absolute highlight has been RSA 2019, where I was invited to speak with my buddy Josh Harriman about “The Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World”. An awesome experience to be on stage with an expert like Josh!

Now two more top conferences are casting their shadow – Microsoft Ignite and ExpertsLive Europe.

Microsoft Ignite | November 4-8, 2019 | Orlando, Florida

Windows Defender ATP: the lost boys – Mac & Linux

Captain / 28. January 2019 / 0 Comments / MDE, Security

At RSA 2019 I’ll be speaking about the Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World. We often see that Windows has such a large market share as the platform of choice, it can render Linux and Mac the Lost Boys in the world of security. This is also reinforced by the fact that the management of the two platforms for enterprise environments is simply not comparable to the administration of Windows client or server operating systems. But from the perspective of a security officer, this is as important as necessary. In November 2017, Microsoft announced that it will extend Windows Defender ATP partners across platforms. With that, the public availability of the WDATP integration of Ziften, Bitdefender and Lookout went live. With this comprehensive approach, Microsoft unites forces against cyber threats and adds lack of knowledge about behavior-based security solutions on these platforms through the industry expertise of its partners. This integration has now been extended to include two additional platforms, SentinelOne and Corrata. In this blog post I’ll give you a first introduction how the integration with Ziften can be done. Later we will have a look how the agent behaves on Mac and Linux machines with two different examples of real world attacks, that we have seen in the past couple of months.

Experts Live Europe – The new era of endpoint security!

Captain / 29. October 2018 / 0 Comments / Community

Pirate,

I just arrived home from my trip to Prague Czech Republic. It was an amazing conference with a big firework at the end :). The conference counted over 400 attendees from 29 countries. In six different session tracks you could listen to 42 experts presenting a wide range of topics in the Microsoft universe. Besides the VIP party in Cloud 9 Sky Bar & Lounge my absolute highlight was the Intro Video below.

I’m speaking at Experts Live Europe in Prague

Captain / 14. October 2018 / 0 Comments / Community

Pirate,

after Microsoft Ignite and IT:SA I’m looking forward to Experts Live Europe. I’m part of the community for more than 4 years now. Back in the days the conference was called System Center Universe Europe. I attended twice and I really liked the warm and welcoming atmosphere and the good quality and selection of the speakers. Honestly I’m super proud to be back as a speaker. Last year I had three sessions – check out the according blog post if you are interested.

Azure ATP: Golden Ticket Attack – How golden ticket attacks work

Captain / 20. September 2018 / 0 Comments / MDI, Microsoft 365 Defender, Security

Pirate,

in the previous post we’ve focused on the authentication technique of Kerberos, we went through the 3 way handshake and had a look at the encryption types. With that in mind we will have a look at golden ticket attacks.

Azure ATP: Golden Ticket Attack – Understanding Kerberos

Captain / 24. August 2018 / 0 Comments / Azure, MDI, Security

Pirate,

many enterprise IT departments these days are afraid of golden ticket or pass the ticket attacks -which is good because privilege escalation and privileged account exploitation are at the center of cyber attacks as we see them. Attackers crash through the network perimeter, hijack credentials and use them to move laterally throughout the network, taking additional credentials and escalating privileges along the way to accomplish their goals. In this blog series we will have a look at kerberos golden ticket and silver ticket attacks. I’ll try my best to explain how it works and how Azure ATP / Advanced Threat Analytics can help to detect.

Microsoft Cybersecurity Reference Architecture

Captain / 17. August 2018 / 0 Comments / Security

Pirate,

in June 2018, Mark Simos who works as Lead Architect, Enterprise Cybersecurity Group at Microsoft published the updated “Cybersecurity Reference Architecture”. I find this a very valuable collection of architectural information as it often gives a good impression of the big picture approach. As there is a webcast coming up, where Mark is going to explain the design and how you as a architect or systems engineer can use this reference architecture, I decided to wrap that information up in a blogpost.

Windows Defender ATP: Sticky Keys binary hijack detected

Captain / 16. August 2018 / 1 Comment / MDE, Security

Pirate,

we recently had a customer that was affected by a sticky keys attack. That made my team and myself dig deeper in how you can prevent these kind of attacks. The best way to protect is easier than you might expect…

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Author: Captain