| #!/bin/bash | |
| #============================================================================ | |
| # | |
| # Copyright (c) 2021 Microsoft Corporation. All rights reserved. | |
| # | |
| # Abstract: | |
| # MDE installation script | |
| # - Fingerprinting OS and manually installs MDE as described in the online documentation | |
| # https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide |
You can check the update channel using the following command: mdatp --health releaseRing
If your device is not already in the InsiderSlow update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
defaults write com.microsoft.autoupdate2 ChannelName InsiderSlow
| [Environment]::SetEnvironmentVariable("LOG4J_FORMAT_MSG_NO_LOOKUPS", $null, [EnvironmentVariableTarget]::Machine) |
| // CM Pivot for Defender Troubleshooting | |
| // Defender Event logs | |
| WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d) | |
| // MDE Eent logs | |
| WinEvent('Microsoft-Windows-SENSE/Operational', 1d) | |
| // MDE Service Status | |
| Service | |
| | where Name == 'Sense' |
| $log4 = Get-log4files | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $vulnerablesums = -split $(Invoke-WebRequest https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/raw/main/sha256sums.txt -UseBasicParsing).content | ? {$_.length -eq 64} | |
| ($log4 | Select-Object).FH | Compare-Object -ReferenceObject $vulnerablesums -IncludeEqual | |
| [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 | |
| $chck = ((invoke-webrequest https://gist.githubusercontent.com/spasam/7b2b2e03c6dd7bd6f1029e88c7cc82ad/raw/ed104b9bed088c04069b3139ae9adbdc9b99b2ac/log4j-core.csv -UseBasicParsing).content | ConvertFrom-Csv -Delimiter "," | Select-Object).sha256 | |
| ($log4 | Select-Object).FH | Compare-Object -ReferenceObject $chck -IncludeEqual |
| Function Get-log4files(){ | |
| $Drives = Get-PSDrive | Select-Object -ExpandProperty 'Name' | Select-String -Pattern '^[a-e]$' | |
| $FileInfo = [System.Collections.ArrayList]::new() | |
| $Filetypes = @("*.jar") | |
| ForEach($DriveLetter in $Drives) | |
| { | |
| $Drive = "$DriveLetter" + ":\" | |
| $Log4Files = Get-ChildItem -Path $Drive -Filter "*log4j-core*" -Include $Filetypes -Recurse -File -ErrorAction SilentlyContinue | Select-Object FullName | |
| Foreach($file in $Log4Files) | |
| { |
https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Inspiration: https://azurecloudai.blog/2021/08/12/how-to-use-threatview-io-threat-intelligence-feeds-with-azure-sentinel/
// C2 Hunt Feed - Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io
// #IP,Date of Detection,Host,Protocol,Beacon Config,Comment
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint
Example:
An actor on performed suspicious account enumeration, exposing while trying to access