From f761aa0ca35e9c0ce2e97be345e477c819f4d7ef Mon Sep 17 00:00:00 2001 From: lomayor Date: Wed, 28 Feb 2018 17:50:42 +1100 Subject: [PATCH 1/5] Added simulation topic --- ...ows-defender-advanced-threat-protection.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d54abefc95 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -0,0 +1,44 @@ +--- +title: Experience Windows Defender ATP through simulated attacks +description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches. +keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: high +ms.date: 28/02/2018 +--- + +# Experience Windows Defender ATP through simulated attacks + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +**Preparations** + +To run the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). + +Before running a simulation, ensure you read the walkthrough document provided with each attack scenario. The document provides detailed instructions as well as specific endpoint OS and application requirements. In general, running the latest Windows build on the test machine helps ensure compatibility. + +**Run the simulations** + +1. Select your desired simulation scenario from from **Help** > **Simulations and tutorials**. + +2. Download and read the corresponding walkthrough document thoroughly. The document outlines the nature of the simulation and what you can do to fully experience the scenario. + +3. Access **Simulation and tutorials** from the onboarded test machine. From that machine, download the simulation file or copy the simulation script. + +4. Run the simulation file or script on the test machine as instructed in the walkthrough document. + +## Related topics +- [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md) +- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file From 5b4dfc77fa8cb48e8f08b2ddd2ef65c33bb192c7 Mon Sep 17 00:00:00 2001 From: lomayor Date: Wed, 28 Feb 2018 18:16:20 +1100 Subject: [PATCH 2/5] Added toc entry for attack simulations, updated topic --- windows/security/threat-protection/TOC.md | 1 + ...mulations-windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index fdfc93411b..1ec6b4c431 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -34,6 +34,7 @@ #### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md) #### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) #### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md) +#### [Run simulated attacks](windows-defender-atp\attack-simulations-windows-defender-advanced-threat-protection.md) #### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md) #### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index d54abefc95..9b09e550ba 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 28/02/2018 --- -# Experience Windows Defender ATP through simulated attacks +# Experience Windows Defender ATP through simulated attacks **Applies to:** @@ -23,13 +23,13 @@ ms.date: 28/02/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -**Preparations** +## Preparations To run the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). Before running a simulation, ensure you read the walkthrough document provided with each attack scenario. The document provides detailed instructions as well as specific endpoint OS and application requirements. In general, running the latest Windows build on the test machine helps ensure compatibility. -**Run the simulations** +## Run a simulation 1. Select your desired simulation scenario from from **Help** > **Simulations and tutorials**. From 0d2d6005996e7ac9195e96219342205ba53f2a4c Mon Sep 17 00:00:00 2001 From: lomayor Date: Wed, 28 Feb 2018 19:36:45 +1100 Subject: [PATCH 3/5] Tweaks to attack simulation --- ...ions-windows-defender-advanced-threat-protection.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 9b09e550ba..588c5ca2a6 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -25,17 +25,17 @@ ms.date: 28/02/2018 ## Preparations -To run the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). +To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). -Before running a simulation, ensure you read the walkthrough document provided with each attack scenario. The document provides detailed instructions as well as specific endpoint OS and application requirements. In general, running the latest Windows build on the test machine helps ensure compatibility. +Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. ## Run a simulation -1. Select your desired simulation scenario from from **Help** > **Simulations and tutorials**. +1. In **Help** > **Simulations & tutorials**, select the attack scenario you would like to simulate. -2. Download and read the corresponding walkthrough document thoroughly. The document outlines the nature of the simulation and what you can do to fully experience the scenario. +2. Download and read the corresponding walkthrough document provided with your selected scenario. -3. Access **Simulation and tutorials** from the onboarded test machine. From that machine, download the simulation file or copy the simulation script. +3. Use the onboarded test machine to access then the Windows Defender ATP portal and go to **Help** > **Simulations & tutorials**. From there, download the simulation file or copy the simulation script. 4. Run the simulation file or script on the test machine as instructed in the walkthrough document. From 03bc79fe15040a56f98a397fa1d66b66b0dac612 Mon Sep 17 00:00:00 2001 From: lomayor Date: Thu, 1 Mar 2018 12:30:33 +1100 Subject: [PATCH 4/5] Added more content to attack simulations --- ...windows-defender-advanced-threat-protection.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 588c5ca2a6..3c4deac0bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -23,7 +23,9 @@ ms.date: 28/02/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -## Preparations +You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. + +## Before you begin To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure-windows-defender-advanced-threat-protection.md). @@ -31,7 +33,13 @@ Read the walkthrough document provided with each attack scenario. Each document ## Run a simulation -1. In **Help** > **Simulations & tutorials**, select the attack scenario you would like to simulate. +1. In **Help** > **Simulations & tutorials**, select which of the available attack scenario you would like to simulate: + + - **Scenario 1: Document drops backdoor** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity. + + - **Scenario 2: PowerShell script in fileless attack** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. + + - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. 2. Download and read the corresponding walkthrough document provided with your selected scenario. @@ -39,6 +47,9 @@ Read the walkthrough document provided with each attack scenario. Each document 4. Run the simulation file or script on the test machine as instructed in the walkthrough document. +>[!NOTE] +>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise to your test machine. + ## Related topics - [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md) - [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) \ No newline at end of file From 00c5a06a5b3b6a250db3ad953f288da66f2820f8 Mon Sep 17 00:00:00 2001 From: lomayor Date: Thu, 1 Mar 2018 15:33:53 +1100 Subject: [PATCH 5/5] More tweaks --- ...lations-windows-defender-advanced-threat-protection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 3c4deac0bb..22e955398f 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -33,11 +33,11 @@ Read the walkthrough document provided with each attack scenario. Each document ## Run a simulation -1. In **Help** > **Simulations & tutorials**, select which of the available attack scenario you would like to simulate: +1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate: - - **Scenario 1: Document drops backdoor** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity. + - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. - - **Scenario 2: PowerShell script in fileless attack** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. + - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity. - **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. @@ -48,7 +48,7 @@ Read the walkthrough document provided with each attack scenario. Each document 4. Run the simulation file or script on the test machine as instructed in the walkthrough document. >[!NOTE] ->Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise to your test machine. +>Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine. ## Related topics - [Onboard and set up Windows Defender ATP](onboard-configure-windows-defender-advanced-threat-protection.md)