Microsoft 365 Defender

CVE-2023-34362 – MOVEit

Jonas Schneidewind / 5. July 2023 / 0 Comments / Microsoft 365 Defender

Since the end of May, several critical flaws have been discovered in Progress Software’s MOVEit Transfer managed file transfer application. The first flaw involves a SQL injection (SQLi) vulnerability that could potentially lead to privilege escalation and unauthorized system access. Depending on the specific database engine in use, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to gather information about the database’s structure and contents. Furthermore, they could execute SQL statements that have the capability to modify or delete elements within the database.

Microsoft has attributed the ongoing exploitation of this vulnerability to a threat actor known as Lace Tempest. Lace Tempest (also known as Storm-0950) is associated with ransomware groups like FIN11, TA505, and Evil Corp. They are also linked to the operation of the Cl0p extortion site. The attacker’s objective is data theft and subsequent extortion.

CVE-2023-32784 – KeePass

Jonas Schneidewind / 23. June 2023 / 0 Comments / Microsoft 365 Defender

This vulnerability is used to recover the cleartext master password from a memory dump. This can be achieved regardless of whether the KeePass workspace is locked or if the program is completely closed. It is important to note that the successful exploitation of the vulnerability requires an attacker to have already compromised a potential target’s computer. It also requires that the password is typed on a keyboard and not copied from the device’s clipboard.

This means that the usage of a keyfile or hardware key is not impacted.

Summary MDE Incident #ASRmageddon

Captain / 19. January 2023 / 0 Comments / Microsoft 365 Defender

Pirate,

here is more information about the big MDE incident of Friday 13.01.23. #ASRmageddon.

Management Summary:
On Friday, January 13, 2023, some customers running Microsoft Defender for Endpoint (MDE) experienced “false-positive” detections by ASR (Attack Surface Reduction) rules in the context of Office macro blocks after a signature update. These detections led to the deletion of files (ink, exe, etc.). The incorrect detection logic/signature was fixed in Security Intelligence version 1.381.2164.0 (and newer). With this updated version, the problem no longer occurs. For devices that were affected before the fix, the links and exe files must be explicitly restored. For customers who do not configure the ASR rule “Block Win32 API calls from Office macros” to “Block” mode, there is no false positive / “data loss”. 

There are now several good summaries on the general incident, the content sequence, the best detection methods for (still) affected endpoints, and scripts for link recovery.

Spring Microsoft Ignite 2021 – The Future of Cybersecurity

Captain / 2. March 2021 / 0 Comments / Microsoft 365 Defender

I’m thrilled to be speaking again at Microsoft Ignite (spring edition). In fall 2020 I already had the chance to speak about Zero Trust in 2020 in front of a fully packed session. Table Talks in my oppinion are a very smooth and successful way to interact with experts on specific topics all around the globe. That’s why I’m really excited to be nominated to speak with Gokan Ozcifci, Dr. Mike Jankowski-Lorek, Paula Januszkiewicz and Tomas Vileikis about The Future of Cybersecurity.

Microsoft Ignite 2019 – Join my sessions!

Captain / 14. October 2019 / 0 Comments / Microsoft 365 Defender

2019 was already an incredible year. I was allowed to be on stages this year that I would never have dreamed of. Fantastic!

Definitely an absolute highlight has been RSA 2019, where I was invited to speak with my buddy Josh Harriman about “The Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World”. An awesome experience to be on stage with an expert like Josh!

Now two more top conferences are casting their shadow – Microsoft Ignite and ExpertsLive Europe.

Microsoft Ignite | November 4-8, 2019 | Orlando, Florida

Azure ATP: Golden Ticket Attack – How golden ticket attacks work

Captain / 20. September 2018 / 0 Comments / MDI, Microsoft 365 Defender, Security

Pirate,

in the previous post we’ve focused on the authentication technique of Kerberos, we went through the 3 way handshake and had a look at the encryption types. With that in mind we will have a look at golden ticket attacks.

Windows Defender ATP: Tenant creation – Part 1

Captain / 30. January 2018 / 0 Comments / MDE, Microsoft 365 Defender

Pirate,

within the last year, we have focused on Windows Defender ATP and ran through several PoCs. I’ve prepared several scenarios for you, where I will guide you trough WDATP from the tenant creation to high end scenarios. In this first post, we will go through the tenant creation process itself.

Windows 10 AppLocker Policies still affect after disabling the service

Captain / 14. January 2018 / 18 Comments / Microsoft 365 Defender

Pirate,

from time to time I consult customers in the configuration of Windows 10 AppLocker. I really love AppLocker because it’s super simple, reliable and enterprise ready in terms of administrative overhead. Furthermore it’s the recommended tool for the configuration of unwanted / not needed apps within Windows 10. But sometimes AppLocker kind of “breaks” my Windows 10 start menu and stops Apps from strarting up. Although the AppLocker enforcement is disabled.

Windows 10 – Configure Windows Defender Application Guard for Microsoft Edge

Captain / 6. August 2017 / 0 Comments / Microsoft 365 Defender, Security

Pirate,

The current Windows 10 Insider Build 16257 includes upcoming features of Redstone 3 and Windows 10 1709. Also included are all the features of the Windows Defender Application Guard (WDAG). The feature will work like a sandbox. The feature is intended to prevent malicious content and downloaded files from harming the system. After surfing, the isolated tab closes and clears all malicious code together with the temporary container. Admins can already create Whitelists from harmless pages that start in conventional Edge windows. Pages not listed then open in an application guard container within Edge.

Windows10 – Configure Windows Settings Menu

Captain / 25. April 2017 / 1 Comment / Microsoft 365 Defender

Pirate,

With the Windows 10 Creators Update (1703) we have received a possibility to configure the “Windows Settings”. The Windows settings are the new, unified system control menu that was introduced with Windows 10. This menu is particularly critical because many of the Enterprise’s unsuitable features can be configured through this menu. This created the need to remove or hide specific settings.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Category: Microsoft 365 Defender

Pirate,

Pirate,