Feb 13
We saw all the indicators previously added by Defender for Cloud removed. Also a thread over on the DefenderATP subreddit discussing this.
2
55
21 Jul 2024
🚧WiP🚧
Pushed another folder on my repo for detection rules/queries based on the defender logged Windows API telemtry data.
github.com/0xAnalyst/Defende…
#ThreatHunting #KQL #DefenderATP
#ATP
Check filename for what to keep as query. Rest of the API functions to follow
2
357
17 Jul 2024
StealC infostealer seems to use dll hijacking against thunderbird's rnpkeys.exe to load it's malicious DLLs
Use this KQL to alert on that
github.com/0xAnalyst/Defende…
#StealC #DefenderATP #ThreatHunting #KQL
Which LOL I should add this to?
1
3
290
15 Jul 2024
🚧WiP🚧
I have pushed a folder on my repo for ASR rules. Enable ASR rules on audit mode before deploying the rules. Will be publishing my exclusion list to the same folder
github.com/0xAnalyst/Defende…
#ThreatHunting #KQL #DefenderATP
#ATP
Check filename for what to keep as query
4
20
2,290
11 Jul 2024
14 new KQL queries/Detection Rules added to my KQL repo all based on Sigma for linux rules
github.com/0xAnalyst/Defende…
I used chatgpt to document the rules l/explain the KQL queries
#SIGMA #KQL #ThreatHunting #DefenderATP
#Defender
6
9
755
1 Jul 2024
Based on this article TeamViewer was hacked by apt29 through Ms Teams phishing
scmagazine.com/news/teamview…
Use my KQL below to hunt for APT29 Teams phishing attacks
github.com/0xAnalyst/Defende…
#TheatHunting #KqL #defenderATP
8
24
3,703
20 Dec 2023
🚧WiP🚧
I'm sharing some of the #DetectionEngineering rules I have worked on in the past 2 years
on #DefenderATP. These rules were driven from CTI Reports, Twitter.. Etc as well as the Areas in MITRE evaluation where defender was lacking #threathunting
github.com/0xAnalyst/Defende…
2
24
96
7,964
9 Dec 2022
It's been a few months but I definitely had all Microsoft related AppIDs, including DefenderATP, working with strict allow-list configs at a previous gig. It is possible if you hate yourself enough to try and enjoy frustration.
1
3
9 Dec 2022
Also, per PaloAlto support their "AppID" tech does not work for DefenderATP unless you blanket-allow all web traffic to the internet.
InfoSec loves preaching "default-deny" but doing this in practice takes immense dedication and skill and ongoing governance.
2
5
57
2 Nov 2022
Microsoft blogged recently where DefenderATP had alarms about a ransomware actor weeks before attack, but nobody was watching or understood.
Your security tools will often see this coming. The reason they aren't heeded is because you are actually special.
microsoft.com/en-us/security…
1
10
85
23 Aug 2022
ProTip: If you get suspicious connections blocked in DefenderATP all the time, you need to deploy uBlock Origin adblocking.
Never seen a suspicious connection from a browser with it deployed.
12
30
301
19 May 2022
New Defender ATP alert: Gallium Actor activity detected
Seems to be falsely identifying VisualStudio dll files as malware, anyone else seeing this? #DefenderATP
5
6
20 Apr 2022
New Reporting Functionality for Device Control and Windows Defender Firewall techcommunity.microsoft.com/… #MSExpertTalk #DefenderATP #MSFTSecurity #MicrosoftDefender #ThreatProtection
4
25
4 Apr 2022
Azure ATPにはセンサーのダウンロードが必要であり、SentinelおよびDefenderATPにはMMAが必要。
AzureSecurityConsoleを使用してWindowsServer2016をオンボードする場合は、MMAをインストールするだけ。W10と同じようにWindows Server 2019を使用している場合は、ローカルスクリプトが必要?
2
28 Mar 2022
Partner access to Microsoft Defender for Endpoint via ATP API
blog.ahasayen.com/microsoft-…
#microsoft #Defender #DefenderATP #MicrosoftDefender #MicrosoftDefenderATP #WindowsATP #Azure #AzureSecurity
1
3
Did anyone else get juked by Microsoft Defender flagging Office updates (specifically VSS shadow deletes IIRC) as Ransomware? #Microsoft #DefenderATP #MicrosoftDefender #IncidentResponse #DFIR
1
2
16 Mar 2022
自分が以前、Empireを使ったガチの脆弱性診断をやってた時からこの手法あったけどなぁ。今更?
もちろんだけど、FireeyeとかDefenderATPなどのXDR入れてれば簡単に検知可能。
けど、OneDriveを悪用できるって自分で発見したときは戦慄したね(^^;
かなり脅威だと思う。
blogs.mcafee.jp/prime-minist…
1
1
14
8 Sep 2021
I spend a lot of my time working with business in regulated industries get ready for #ISO 27001, SOC2 certification. @Azure product offering is solid. Would love to chat with folks on the same journey
#DataSecurity #CyberSecurity #Zerotrust #EndpointSecurity #DefenderATP
2
23 Aug 2021
Microsoft #Defender for #Endpoint: Machine Learning and AI behind the scenes.
#Security #WindowsATP #DefenderATP #MicrosoftATP #WindowsDefender #WindowsDefenderATP #Azure #AzureSecurity #Mvpbuzz
blog.ahasayen.com/defender-f…
2