You can check the update channel using the following command: mdatp --health releaseRing
If your device is not already in the InsiderSlow update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
defaults write com.microsoft.autoupdate2 ChannelName InsiderSlow
| [Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine) |
| // CM Pivot for Defender Troubleshooting | |
| // Defender Event logs | |
| WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d) | |
| // MDE Eent logs | |
| WinEvent('Microsoft-Windows-SENSE/Operational', 1d) | |
| // MDE Service Status | |
| Service | |
| | where Name == 'Sense' |
| $log4 = Get-log4files | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64} | |
| ($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $chck = ((invoke-webrequest https://gist.githubusercontent.com/spasam/7b2b2e03c6dd7bd6f1029e88c7cc82ad/raw/ed104b9bed088c04069b3139ae9adbdc9b99b2ac/log4j-core.csv -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256 | |
| ($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual |
| Function Get-log4files(){ | |
| $Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$' | |
| $FileInfo = [System.Collections.ArrayList]::new() | |
| $Filetypes = @("*.jar") | |
| ForEach($DriveLetter in $Drives) | |
| { | |
| $Drive = "$DriveLetter" + ":\" | |
| $Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName | |
| Foreach($file in $Log4Files) | |
| { |
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Use the below query to detect Windows Defender exclusion changes.
// T1562.001 - Impair Defenses: Disable or Modify Tools
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint
Example:
An actor on performed suspicious account enumeration, exposing while trying to access
Use the below advanced hunting queries to detect when scripts are added/modified within the SYSVOL share and Group Policy logon scripts executed on clients.
// scripts added/modified in SSYSVVOL
| // Use the below query to find the Microsoft Endpoint Configuration Manager - CMPivot initiated queries executed on devices | |
| // Microsoft Endpoint Configuration Manager | |
| DeviceEvents | |
| // | where DeviceName == "client01.corp.net" | |
| | where ActionType == "PowerShellCommand" | |
| | where InitiatingProcessCommandLine contains @"C:\windows\CCM\ScriptStore" | |
| | extend pcommand = parse_command_line(InitiatingProcessCommandLine, "windows") | |
| | where pcommand contains "-wmiquery" | |
| | extend pcommand2 = split(pcommand, "-wmiquery") | |
| | mv-expand pcommand2 |