diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 863e6b22b7..bf51ddcd42 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1353,7 +1353,7 @@ }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem", "redirect_document_id": false }, { diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index d65cca5636..50032d076f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -327,6 +327,8 @@ ### [Behavioral blocking and containment]() #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) +#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md) +#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md) #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) ### [Automated investigation and response (AIR)]() @@ -571,7 +573,6 @@ ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 81a9c4734d..9ab72ae669 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -50,9 +50,9 @@ The following image shows an example of an alert that was triggered by behaviora - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) -- **Client behavioral blocking** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) +- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) -- **Feedback-loop blocking** (also referred to as rapid protection) Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) +- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) @@ -60,6 +60,22 @@ Expect more to come in the area of behavioral blocking and containment, as Micro ## Examples of behavioral blocking and containment in action +Behavioral blocking and containment capabilities have blocked attacker techniques such as the following: + +- Credential dumping from LSASS +- Cross-process injection +- Process hollowing +- User Account Control bypass +- Tampering with antivirus (such as disabling it or adding the malware as exclusion) +- Contacting Command and Control (C&C) to download payloads +- Coin mining +- Boot record modification +- Pass-the-hash attacks +- Installation of root certificate +- Exploitation attempt for various vulnerabilities + +Below are two real-life examples of behavioral blocking and containment in action. + ### Example 1: Credential theft attack against 100 organizations As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md new file mode 100644 index 0000000000..317b858f36 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -0,0 +1,90 @@ +--- +title: Client behavioral blocking +description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Client behavioral blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. + +:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: + +Antivirus protection works best when paired with cloud protection. + +## How client behavioral blocking works + +[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. + +Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization. + +## Behavior-based detections + +Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed: + + +|Tactic | Detection threat name | +|----|----| +|Initial Access | Behavior:Win32/InitialAccess.*!ml | +|Execution | Behavior:Win32/Execution.*!ml | +|Persistence | Behavior:Win32/Persistence.*!ml | +|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml | +|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml | +|Credential Access | Behavior:Win32/CredentialAccess.*!ml | +|Discovery | Behavior:Win32/Discovery.*!ml | +|Lateral Movement | Behavior:Win32/LateralMovement.*!ml | +|Collection | Behavior:Win32/Collection.*!ml | +|Command and Control | Behavior:Win32/CommandAndControl.*!ml | +|Exfiltration | Behavior:Win32/Exfiltration.*!ml | +|Impact | Behavior:Win32/Impact.*!ml | +|Uncategorized | Behavior:Win32/Generic.*!ml | + +> [!TIP] +> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**. + + +## Configuring client behavioral blocking + +If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [Feedback-loop blocking](feedback-loop-blocking.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 0d95a0d4e0..d5f2d69d6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -27,10 +27,10 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools ->[!Note] +>[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md new file mode 100644 index 0000000000..d4be39d220 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -0,0 +1,58 @@ +--- +title: Feedback-loop blocking +description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Feedback-loop blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. + +## How feedback-loop blocking works + +When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem. + +With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold. + + +## Configuring feedback-loop blocking + +If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index d5613256d1..5d98e6652f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. -Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. +4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: -Edit the InstallMMA.cmd with a text editor, such as notepad and update the -following lines and save the file: + - Server SKUs: Windows Server 2008 SP1 or Newer - ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) + - Client SKUs: Windows 7 SP1 and later -Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: - ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) + - Windows 8.1 -Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating -Systems: + - Windows 7 -- Server SKUs: Windows Server 2008 SP1 or Newer + - Windows Server 2016 -- Client SKUs: Windows 7 SP1 and later + - Windows Server 2012 R2 -The MMA agent will need to be installed on Windows devices. To install the -agent, some systems will need to download the [Update for customer experience -and diagnostic -telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -in order to collect the data with MMA. These system versions include but may not -be limited to: + - Windows Server 2008 R2 -- Windows 8.1 + Specifically, for Windows 7 SP1, the following patches must be installed: -- Windows 7 + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) -- Windows Server 2016 + - Install either [.NET Framework + 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. -- Windows Server 2012 R2 +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. -- Windows Server 2008 R2 - -Specifically, for Windows 7 SP1, the following patches must be installed: - -- Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - -- Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps -below to utilize the provided batch files to onboard the systems. The CMD file -when executed, will require the system to copy files from a network share by the -System, the System will install MMA, Install the DependencyAgent, and configure -MMA for enrollment into the workspace. - - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Software - Library**. - -2. Expand **Application Management**. - -3. Right-click **Packages** then select **Create Package**. - -4. Provide a Name for the package, then click **Next** - - ![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png) - -5. Verify **Standard Program** is selected. - - ![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png) - -6. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png) - -7. Enter a program name. - -8. Browse to the location of the InstallMMA.cmd. - -9. Set Run to **Hidden**. - -10. Set **Program can run** to **Whether or not a user is logged on**. - -11. Click **Next**. - -12. Set the **Maximum allowed run time** to 720. - -13. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) - -14. Verify the configuration, then click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png) - -15. Click **Next**. - -16. Click **Close**. - -17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP - Onboarding Package just created and select **Deploy**. - -18. On the right panel select the appropriate collection. - -19. Click **OK**. +Once completed, you should see onboarded endpoints in the portal within an hour. ## Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 2251ec4e49..b3955f8794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,20 +30,20 @@ ms.topic: article Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -1. Create a folder: 'C:\test-WDATP-test'. +1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command Prompt** and select **Run as administrator**. + 1. Right-click **Command Prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 3. At the prompt, copy and run the following command: - ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' - ``` + ```powershell + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' + ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.