Use the below query to detect Windows Defender exclusion changes.
// T1562.001 - Impair Defenses: Disable or Modify Tools
let ADAZUsers = IdentityInfo | |
| extend DirectoryDomain = AccountDomain | |
| extend DirectoryAccount = AccountName | |
| distinct DirectoryDomain , DirectoryAccount , OnPremSid , CloudSid, AccountUpn, GivenName, Surname; | |
// check for any new created or modified local accounts | |
let NewUsers = DeviceEvents | |
| where ActionType contains "UserAccountCreated" // or ActionType contains "UserAccountModified" | |
| extend lUserAdded = AccountName | |
| extend NewUserSID = AccountSid | |
| extend laccountdomain = AccountDomain |
function Get-DefenderATPStatus | |
{ | |
<# | |
.SYNOPSIS | |
Get-DefenderATPStatus | |
.DESCRIPTION | |
Get-DefenderATPStatus retrieves the status of Windows Defender ATP | |
.PARAMETER Computername |
// Inspiration from https://github.com/jangeisbauer/AdvancedHunting/blob/master/hunt_for_lolbins just changed Processes to Networkevents | |
// T1218 Living of the land binaries connecting to the internet | |
// network activities with lolbins | |
DeviceNetworkEvents | |
| where RemoteIPType == 'Public' | |
| where InitiatingProcessFileName contains "Atbroker.exe" or | |
InitiatingProcessFileName contains "Bash.exe" or | |
InitiatingProcessFileName contains "Bitsadmin.exe" or | |
InitiatingProcessFileName contains "Certutil.exe" or | |
InitiatingProcessFileName contains "Cmdkey.exe" or |
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
// code used in https://www.verboon.info/2019/11/how-to-generate-a-monthly-defender-atp-threat-and-vulnerability-report/ | |
DeviceTvmSoftwareInventoryVulnerabilities | |
| project DeviceName, SoftwareName, CveId, SoftwareVersion, VulnerabilitySeverityLevel | |
| join (DeviceTvmSoftwareVulnerabilitiesKB | |
| project AffectedSoftware, VulnerabilityDescription , CveId , CvssScore , IsExploitAvailable | |
) | |
on CveId | |
| project CveId , SoftwareName , SoftwareVersion , VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable , CvssScore | |
| distinct SoftwareName , SoftwareVersion, CveId, VulnerabilityDescription , VulnerabilitySeverityLevel, IsExploitAvailable | |
| sort by SoftwareName asc , SoftwareVersion |
Function Export-CMScriptResults | |
{ | |
<# | |
.Synopsis | |
Export-CMScriptResults | |
.DESCRIPTION | |
Export-CMScriptResults exports the return values from scripts that are executed | |
through the ConfigMgr Run Script feature. | |
.PARAMETER ScriptName | |
The name of the Script as it is displayed within the ConfigMgr Console. |
#!/bin/bash | |
#============================================================================ | |
# | |
# Copyright (c) 2021 Microsoft Corporation. All rights reserved. | |
# | |
# Abstract: | |
# MDE installation script | |
# - Fingerprinting OS and manually installs MDE as described in the online documentation | |
# https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide |
function Import-SecurityBaselineGPO | |
<# | |
.Synopsis | |
Import-SecurityBaselineGPO | |
.DESCRIPTION | |
Import-SecurityBaselineGPO | |
.PARAMETER GPOBackupPath | |
The path that constains the Security baselines GPO backup | |
.EXAMPLE |
// The below query attempts to get the avg Size in MB per client that is send from Microosoft Defender for Endpoint to Azure Sentinel when using the M365 Defender connector | |
// The calculation is done as following: | |
// 1. Collect the Usage data for the specified table from the Usage table, for example 'DeviceFileEvents' | |
// 2. Collect the total # of devices that submitted information into the specified table, for example 'DeviceFileEvents" | |
// 3 Divide the total BillableDataGB per DataType by the total number of devices that send data to get the avg MB send by client | |
// 4 finally 'uniion' all tables | |
let xagotime = 32d; | |
let xstarttime = 31d; | |
// File Events |