mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 06:43:38 +00:00
Merge branch 'master' into doom
This commit is contained in:
Joey Caparas
@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
|
||||
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
|
||||
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
|
||||
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
|
||||
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
|
||||
|
||||
@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
|
||||
|
||||
| Protections for Improved Security | Description | Security benefits |
|
||||
|---------------------------------------------|----------------------------------------------------|------|
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Advanced hunting query best practices
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceFileEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceImageLoadEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceInfo
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceLogonEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceNetworkEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceNetworkInfo
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceProcessEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# DeviceRegistryEvents
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Learn the advanced hunting query language
|
||||
@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
|
||||
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
|
||||
|
||||
```kusto
|
||||
// Finds PowerShell execution events that could involve a download.
|
||||
DeviceProcessEvents
|
||||
// Finds PowerShell execution events that could involve a download
|
||||
union DeviceProcessEvents, DeviceNetworkEvents
|
||||
| where Timestamp > ago(7d)
|
||||
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
|
||||
| where ProcessCommandLine has "Net.WebClient"
|
||||
or ProcessCommandLine has "DownloadFile"
|
||||
or ProcessCommandLine has "Invoke-WebRequest"
|
||||
or ProcessCommandLine has "Invoke-Shellcode"
|
||||
or ProcessCommandLine contains "http:"
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
|
||||
// Pivoting on PowerShell processes
|
||||
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
|
||||
// Suspicious commands
|
||||
| where ProcessCommandLine has_any("WebClient",
|
||||
"DownloadFile",
|
||||
"DownloadData",
|
||||
"DownloadString",
|
||||
"WebRequest",
|
||||
"Shellcode",
|
||||
"http",
|
||||
"https")
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
|
||||
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
|
||||
| top 100 by Timestamp
|
||||
```
|
||||
|
||||
This is how it will look like in advanced hunting.
|
||||
|
||||
|
||||
|
||||
|
||||
### Describe the query and specify the table to search
|
||||
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
|
||||
|
||||
### Describe the query and specify the tables to search
|
||||
A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization.
|
||||
|
||||
```kusto
|
||||
// Finds PowerShell execution events that could involve a download.
|
||||
DeviceProcessEvents
|
||||
// Finds PowerShell execution events that could involve a download
|
||||
```
|
||||
|
||||
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed.
|
||||
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
|
||||
|
||||
```kusto
|
||||
union DeviceProcessEvents, DeviceNetworkEvents
|
||||
```
|
||||
### Set the time range
|
||||
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
|
||||
The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
|
||||
|
||||
```kusto
|
||||
| where Timestamp > ago(7d)
|
||||
```
|
||||
### Search for specific executable files
|
||||
The time range is immediately followed by a search for files representing the PowerShell application.
|
||||
|
||||
```kusto
|
||||
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
|
||||
### Check specific processes
|
||||
The time range is immediately followed by a search for process file names representing the PowerShell application.
|
||||
|
||||
```
|
||||
### Search for specific command lines
|
||||
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
|
||||
|
||||
```kusto
|
||||
| where ProcessCommandLine has "Net.WebClient"
|
||||
or ProcessCommandLine has "DownloadFile"
|
||||
or ProcessCommandLine has "Invoke-WebRequest"
|
||||
or ProcessCommandLine has "Invoke-Shellcode"
|
||||
or ProcessCommandLine contains "http:"
|
||||
// Pivoting on PowerShell processes
|
||||
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
|
||||
```
|
||||
### Select result columns and length
|
||||
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
|
||||
|
||||
### Search for specific command strings
|
||||
Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
|
||||
|
||||
```kusto
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
|
||||
// Suspicious commands
|
||||
| where ProcessCommandLine has_any("WebClient",
|
||||
"DownloadFile",
|
||||
"DownloadData",
|
||||
"DownloadString",
|
||||
"WebRequest",
|
||||
"Shellcode",
|
||||
"http",
|
||||
"https")
|
||||
```
|
||||
|
||||
### Customize result columns and length
|
||||
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
|
||||
|
||||
```kusto
|
||||
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
|
||||
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
|
||||
| top 100 by Timestamp
|
||||
```
|
||||
|
||||
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
|
||||
Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results.
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
|
||||
|
||||
## Learn common query operators for advanced hunting
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 10/08/2019
|
||||
---
|
||||
|
||||
# Use shared queries in advanced hunting
|
||||
|
||||
@ -15,7 +15,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 03/27/2020
|
||||
---
|
||||
|
||||
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
|
||||
@ -27,6 +27,9 @@ ms.date: 04/24/2018
|
||||
|
||||
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
|
||||
|
||||
>[!NOTE]
|
||||
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
|
||||
|
||||
There are several options you can choose from to customize the alerts queue view.
|
||||
|
||||
On the top navigation you can:
|
||||
@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
|
||||
|
||||
Alert severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
|
||||
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
|
||||
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
|
||||
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
|
||||
|
||||
#### Understanding alert severity
|
||||
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 57 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 36 KiB |
@ -81,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
|
||||
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
|
||||
- In addition to other measures, you need to control the access to sensitive data through app usage.
|
||||
|
||||
> [!NOTE]
|
||||
> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
|
||||
|
||||
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
|
||||
|
||||
## Installing AppLocker
|
||||
|
||||
Reference in New Issue
Block a user