Microsoft Defender Weekly Wrap - Issue #40
Happy Friday, everyone! Thanks for your continued support for this community and this newsletter.
We've had a flurry of new subscribers this week, so I want to welcome all the new readers. I hope this community effort meets and exceeds your expectations.
I noted in the last issue that I'll be heading off for a true vacation in the near future and there was a bit of hesitancy about whether the newsletter would deliver during that time. Those that have been here for a while know that this newsletter delivers every Friday without fail and has not missed an issue since the beginning.
I want to take a quick moment to thank those that have reached out to offer help and also make a big public, formal THANK YOU to my colleague Andrea Fisher, who will be stepping in and building and delivering the newsletter in my absence. You all are in wonderful hands, and I might add, you'll probably beg me not to come back. Andrea is awesome.
...
Many of you are already familiar with the Microsoft Security Insights show that myself and a few of my colleagues host each Wednesday evening. For those not familiar, the hour-long dialog show introduces guests from various areas within Microsoft and some of our partners. It delivers live starting at 5pm EST every Wednesday. For those that miss the live event and miss asking live questions, the replay is available immediately after and the audio is delivered as a podcast the week after.
As an example, the next episode (117) is on August 31st, and features Kara Cole (CxE Program Manager) and Kim Griffiths (Program Manager for CxE and CAT). You can subscribe to the YouTube channel or set a notification to be reminded here: https://youtu.be/zkxgKQPUqsg
This one will be extra interesting as a recent guest, Gary Bushey, will be guest hosting. Kara is Gary's manager. Imagine trying to interview your own boss on a podcast.
I say all that to say this, for those that have been following along recently you've seen some interesting changes. We've recently changed our streaming platform to deliver to more people at once and begun to delve deeper into other engagement areas. This is in preparation for a Microsoft Security Insights conference we're planning in February 2023. More to come on that and, if this interests you, you can keep tabs on the updates in our just christened LinkedIn page: https://www.linkedin.com/company/microsoft-security-insights-show/
...
Hey all, for a limited time, there's a 20% discount on Must Learn KQL merch. Just enter KQLFRIENDS at checkout.
https://must-learn-kql.creator-spring.com
As always, all proceeds go to St. Jude
...
One last thought...
This week, forward this newsletter to at least one person. It could be a colleague, it could be a customer. Someone you know could benefit from it.
That's it from me from this week.
Talk soon.
-Rod
P.S. Yes...the wife is back from her vacation and I'm sleeping much, much better.
Things to Attend
Stop Ransomware with Microsoft Security 2022 - Home - Home — msthreatintelligencedigitalevent.eventcore.com
Register for the Stop Ransomware with Microsoft Security digital event to watch in-depth demos of the latest threat intelligence technology. Thursday, September 15, 2022, 9:00 AM – 10:30 AM Pacific Time (UTC-7)
Four Session Series Covering All Aspects of Microsoft Cyber Defense - Azure Cloud & AI Domain Blog — azurecloudai.blog We have a series of webinars coming up for those that are curious about Microsoft security and also those that are already on their journey to securing their environments using Microsoft security services. The series is delivered in chunks through late August and early October, allowing you to schedule your attendance to attend them all.
Things that are Related
Microsoft Learn modules for KQL — docs.microsoft.com Learn new skills and discover the power of Microsoft products with step-by-step guidance. Start your journey today by exploring our learning paths and modules.
15. MustLearnKQL - The Distinct Operator — www.youtube.com A demonstration of the Kusto Query Language distinct operator.Get the Ebook: https://github.com/rod-trent/MustLearnKQL/tree/main/Book_VersionGet the Paperbac...
Section 3 – Design a Zero Trust strategy and architecture – Design an identity security strategy – Set-AzWebApp -name "Anything Microsoft and other stuff on the side" — www.cloudpartner.fi Cloud resources can be messy if not designed and maintained correctly. So here some tips for managing them.
Migrate advanced hunting queries from Microsoft Defender for Endpoint | Microsoft Docs — docs.microsoft.com Learn how to adjust your Microsoft Defender for Endpoint queries so you can use them in Microsoft 365 Defender
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone - Microsoft Security Blog — www.microsoft.com Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. NOBELIUM remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations (NGOs), intergovernmental organizations (IGOs), and think tanks across the US, Europe, and Central Asia. The Microsoft Threat Intelligence Center (MSTIC) assesses that MagicWeb was likely deployed during an ongoing compromise and was leveraged by NOBELIUM possibly to maintain access during strategic remediation steps that could preempt eviction.
Things to Have
The Innovator’s Guide to Zero Trust Security
Keeping pace with a rapidly changing threat landscape— coupled with a growing skills gap and a shift to hybrid work models—requires a fresh approach
Amazon.com: Cybersecurity: Attack and Defense Strategies: Improve your security posture to mitigate risks and prevent attackers from infiltrating your system, 3rd Edition eBook : Diogenes, Yuri, Ozkaya, Dr. Erdal: Kindle Store — www.amazon.com Amazon.com: Cybersecurity – Attack and Defense Strategies: Improve your security posture to mitigate risks and prevent attackers from infiltrating your system, 3rd Edition eBook : Diogenes, Yuri, Ozkaya, Dr. Erdal: Kindle Store
Cyber Signals: Defend against the new ransomware landscape - Microsoft Security Blog — www.microsoft.com Today, Microsoft is excited to publish our second edition of Cyber Signals, spotlighting security trends and insights gathered from Microsoft’s 43 trillion security signals and 8,500 security experts. In this edition, we pull back the curtain on the evolving cybercrime economy and the rise of Ransomware-as-a-service (RaaS). Instead of relying on what cybercriminals say about themselves through extortion attempts, forum posts, or chat leaks, Microsoft threat intelligence gives us visibility into threat actors’ actions.
Defender for Endpoint Things
BLOG: Microsoft Defender for Endpoint - Block applications with Indicators - Microsoft Workplace Community Blog — www.msworkplace.blog Block applications with Indicators, Microsoft Defender for Endpoint, Defender ATP, Block Applications, certificate
BLOG: Microsoft Defender for Endpoint - Block applications with Indicators - Microsoft Workplace Community Blog — www.msworkplace.blog Block applications with Indicators, Microsoft Defender for Endpoint, Defender ATP, Block Applications, certificate
BLOG: Uncovering a ChromeOS remote memory corruption vulnerability - Microsoft Security Blog — www.microsoft.com Microsoft discovered a memory corruption vulnerability in a ChromeOS component that can be triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE).
BLOG: How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations - Microsoft Tech Community — techcommunity.microsoft.com In rare cases where VMs are server OSs, non-domain joined, and not managed by SCCM or third-party management solutions, Azure Automation State Configuration or the new version of Azure DSC, using the guest configuration feature of Azure Policy, can be used as an alternative solution to centrally deploy ASR rules. Learn more about Azure Guest configuration.
Microsoft Defender for IoT Things
VIDEO: Critical Defense for IoT and OT environments: Microsoft Defender for IoT — www.youtube.com Cyber-attacks targeting IoT/IIoT, and ICS/OT environments have been realized. Today's active defense requires increased vigilance, stronger mitigation, syste...
Microsoft 365 Defender Things
BLOG: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations - Microsoft Security Blog — www.microsoft.com In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
BLOG: How to Get the KQL Query Created by the New 365 Defender Query Builder - Azure Cloud & AI Domain Blog — azurecloudai.blog Hopefully, you didn't miss the latest news that the new KQL Query Builder for 365 Defender is in public preview. If you did miss it, check out: Hunt in Microsoft 365 Defender without KQL! KQL Query Builder This is exciting news and something that customers have asked for to match similar functionality of competitive products.
NEW: Hunt in Microsoft 365 Defender without KQL! - Microsoft Tech Community — techcommunity.microsoft.com Threat Hunting is critical to any effective Security Operations Center (SOC). Proactively hunting for threats strengthens the detection and protection
VIDEO: Microsoft 365 Security Basics: Deploy MFA (4 Options) — www.youtube.com Starting a new series of videos on M365 Security Basics. Where I will show you some quick wins for hardening your Microsoft 365 environment. The first and mo...
BLOG: Using Microsoft Security APIs for Incident Response - Part 1 - Microsoft Tech Community — techcommunity.microsoft.com This blog is part one of a three-part series focused on facilitating programmatic data pulls from Microsoft APIs. Data collection and analysis is one of
Defender for Cloud Apps Things
BLOG: Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps — techcommunity.microsoft.com In our present threat landscape, attackers are constantly trying to compromise organizations, each with their own set of motives. They may want to compromise accounts credentials to later sell, utilize compromised users to spread phishing campaigns, or even utilize the computing resources of the organization to deploy and run their own tooling. In this blog, we will describe how attackers can compromise Azure subscriptions and use them for malicious activities. In addition, we will share how Microsoft Defender for Cloud Apps data can help hunt for these activities and how to mitigate the risk of compromised subscriptions.
Microsoft Purview Things
BLOG: Data governance: 5 tips for holistic data protection - Microsoft Security Blog — www.microsoft.com Your data is a strategic asset. To benefit your business, data requires strict controls around structure, access, and lifecycle. However, most security leaders have doubts about data security—nearly 70 percent of chief information security officers (CISOs) expect to have their data compromised in a ransomware attack.1 Part of the problem lies in traditional data-management solutions, which tend to be overly complex with multiple unconnected, duplicative processes augmented with point-wise integrations. This patchwork approach can expose infrastructure gaps that attackers will exploit.
BLOG: Microsoft Purview Insider Risk Management | Admin Set-up Tutorial — techcommunity.microsoft.com Measuring and addressing risks in your organization is key. Get a better understanding of potential data leakage or exfiltration with Microsoft Purview Insider Risk Management.
BLOG: Co-authoring for files with sensitivity labels is now generally available on Android and iOS devices - Microsoft Tech Community — techcommunity.microsoft.com With hybrid work here to stay, organizations are increasingly looking for ways to facilitate seamless collaboration among workgroups and across
BLOG: Microsoft Purview DevOps policies enable at scale access provisioning for IT operations - Microsoft Tech Community — techcommunity.microsoft.com Microsoft Purview access policies enable customers to manage access to different data systems across their entire data estate, all from a central location
Defender for Office Things
BLOG: Introducing tenant blocks via admin submissions - Microsoft Tech Community — techcommunity.microsoft.com We are excited to announce that you can now block suspicious entities when submitting emails, URLs, or attachments for Microsoft to review. In the
Windows Defender Things
BLOG: How to Verify the Most Current Defender AV Security Intelligence Update Versions on the Web - Azure Cloud & AI Domain Blog — azurecloudai.blog Curious if you have the most current versions of the Defender Antivirus and other Microsoft antimalware updates? Go here: Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence Then surf down about the middle of the page to locate the following section... Incidentally, the page also provides the
BLOG: Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks - Microsoft Security Blog — www.microsoft.com Microsoft has observed the Sliver command-and-control (C2) framework now being adopted and integrated in intrusion campaigns by nation-state threat actors, cybercrime groups directly supporting ransomware and extortion, and other threat actors to evade detection. We’ve seen these actors use Sliver with—or as a replacement for—Cobalt Strike. Given Cobalt Strike’s popularity as an attack tool, defenses against it have also improved over time. Sliver thus presents an attractive alternative for actors looking for a lesser-known toolset with a low barrier for entry.