Work and live with IT

Defender for Endpoint - Did the Antivirus scan complete?

Microsoft Defender for Endpoint has great automation capabilities and you can alert using custom detection rules. Put that together and you can trigger many on-client events using those custom detection. This could be to isolate the device from the network, start an automated investigation, collect an investigation package, restrict app execution or run an full antivirus scan on the device in question. But how do you know if Microsoft Defender Antivirus has finished to scan the device?

Persistence with Azure Policy Guest Configuration

Azure Policy enables administrators to define, enforce and remediate configuration standards on Azure resources and even on non Azure assets using Azure Arc. One key feature, that was released in 2021, is the guest configuration feature of Azure Policy. Basically, this is the new implementation of Azure Automation State Configuration or as it is widely known PowerShell Desired State Configuration (DSC). Microsoft states this on the product page very clearly.

Exploit samAccountName spoofing with Kerberos

When Microsoft released the November 2021 patches, the following CVEs caught the eye of many security professionals because they allow impersonation of a domain controller in an Active Directory environment. CVE-2021-42278 - KB5008102 Active Directory Security Accounts Manager hardening changes CVE-2021-42278 addresses a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing. CVE-2021-42287 KB5008380 Authentication updates CVE-2021-42287 addresses a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC) and allows potential attackers to impersonate domain controllers.

Vortrag @ Trust in Tech Cologne

Am Dienstag, den 14. Dezember, werde ich beim virtuellen Meetup Trust in Tech Cologne sprechen. Das Thema meines Vortrags ist Protect your endpoint from known C2 Feodo servers". Ausblick As Emotet is back from the dead the cyber security landscape is getting even more dangerous as before. Thankfully open projects like Feodo Tracker provide information about active C2 servers. Learn how you can utilize the provided Indicators of Compromise, Microsoft Defender for Endpoint and Azure Automation to add an additional layer of security for your endpoints.

Just-In-Time role assignment in Microsoft Defender

Lange Zeit war die Zuweisung mehrerer Azure AD-Rollen an einen Benutzer eine mühsame Aufgabe, wenn diese nicht über ein Skript erfolgte. Jede Rollenzuweisung musste einzeln vorgenommen werden. Dies machte es auch schwierig, Rollenzuweisungen für eine Gruppe von Personen zu ändern. Das alles änderte sich, als Microsoft Azure AD rollenzuweisbare Gruppen einführte. Es ist nun möglich, einer Gruppe mehrere Rollen zuzuweisen und die Benutzer zu dieser Gruppe hinzuzufügen. Das macht es viel einfacher, diese Rollenzuweisungen zu verwalten.