defender for endpoint |

Tag Archives: defender for endpoint

Pink Thumb 2023

Posted on December 9, 2022 by Jan Geisbauer Leave a comment

Pink Thumb 2023

– displays a pink thumb on pages you consider save

– warns on untrusted websites that contain a password field

– has a secret defender for endpoint feature

Main Articles

Jumphost Security

Posted on July 7, 2022 by Jan Geisbauer One comment

Let’s go quickly through an example in which an attacker has code execution on a Windows 10 box and opens a proxy channel to an attacker machine. The attacker then uses ‘proxychains’ which ingests all network output from defined tools on the attacker machine into the proxy tunnel to the Windows 10 box.

With that, we will be able to start an RDP session on the attacker machine, proxy it through the Win10 machine to the local Domain Controller.

The result of that is a Domain Controller that only sees an RDP connection coming from the Win10 box and no MSTSC process on this Win10 box. Please, read the last sentence again. This makes the detection of the attacker steps harder

Main Articles

MDE Hunting 101

Posted on March 27, 2022 by Jan Geisbauer One comment

People that start working with Defender for Endpoint (MDE) often ask the question “where should I start when I see an alert in MDE?”. There is lot of valuable information available in the portal to help judge if an alert is a real incident or a false positive. Additionally, you can query the raw telemetry via KQL. But there is still lot of room for interpretation. So, what should you do to get started? And what is even more important: how do I keep the overview?

Main Articles

hunting phish

Posted on July 16, 2021 by Jan Geisbauer One comment

With Microsoft 365 Defender, we not only know that a phishing link was received but also that the user clicked on it – however, what we do not know is: if the user provided his credentials to the shady site he clicked on. How do we handle such alerts?

Main Articles