Testing for CVE-2021-40444 vulnerability

There are current concerns around:

Microsoft MSHTML Remote Code Execution Vulnerability

which is yet to have a patch made available.

I found this excellent article:

CLICK ME IF YOU CAN, OFFICE SOCIAL ENGINEERING WITH EMBEDDED OBJECTS

which provide some PowerShell scripts to create Word documents that can be used to test for the vulnerability.

I have run these scripts to create the actual Word documents and uploaded them for you here:

Office365/example at master · directorcia/Office365 (github.com)

2021-09-11_10-21-14

In both cases, when you open these documents, you should NOT be able to get CALC.EXE to execute on your system unlike what you see above and below.

test2-screen

I have also added these tests to my security testing script which you can download from my GitHub repo here:

Office365/sec-test.ps1 at master · directorcia/Office365 (github.com)

image

When I opened these documents in my production environment, the vulnerability was largely blocked thanks to Windows ASR which I have detailed previously:

Attack surface reduction for Windows 10

You can use the follow KQL query as I did above to view the result of this blocking if you are using something like Azure Sentinel like I am:

Another great security add on for Microsoft 365

KQL:

DeviceEvents
| where ActionType startswith ‘Asr’

Need to Know podcast–Episode 273

Listen along as I speak with IT business owner David Nicholls from Solve Business Services on his journey to becoming a ‘modern’ cloud IT Professional. David shares the successful processes and approaches he has taken to ‘transform’ his business to be providing cloud support services.

Also, plenty of news and updates from the Microsoft Cloud, including the announcement date for Windows 11. so tune in to stay up to date.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020.

Brought to you by www.ciaopspatron.com

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

Episode 273 – David Nicholls (podbean.com)

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

David Nicholls – Web, Linkedin

Windows 11 available on October 5

Windows 11 preview is now available on Azure Virtual Desktop

Introducing Microsoft Defender for Endpoint Plan 1

Get free DMARC visibility with Valimail Authenticate and Microsoft Office 365

Announcing Apple M1 native support for Microsoft Defender for Endpoint

Simplifying the Quarantine Experience

Securing your Windows 365 Cloud PCs

Troubleshoot Windows 365 Business Cloud PC setup issues

Power Platform Community Monthly Webinar – October 2021

image

Join us for our next Power Platform Community webinar. The idea behind these is to share the latest news and event about the Microsoft Power Platform as well as share some of the things that we have learned recently in the hope that it can help others.


There’ll be 3 major presenters:
Andrew Gallagher
Bill Mallet
Yeoman Yu

who’ll share their knowledge, answer any questions you may have and then provide a tutorial into using power Automate.


Come and join us by registering here:


https://bit.ly/ppc1021


If you wish to join our community and be part of the regular discussion and participation on the Microsoft Power Platform you can join via:
CIAOPS Patron
(look for the Power Platform option here to join us).
We look forward to seeing you on the webinar.

CIAOPS Need to Know Microsoft 365 Webinar – September

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at the newly announced Windows 365 and how it plays into the modern workplace.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite! Yeah Teams webinars.

You can register for the regular monthly webinar here:

September Webinar Registrations

The details are:

CIAOPS Need to Know Webinar – September 2021
Thursday 30th of September 2021
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Power Platform Community September webinar

After recently

Announcing the CIAOPS Patron Power Platform community – CIAOPS

I’m pleased to say that we have also kicked off the first of our monthly webinars. The recording is available here:

Patron Power Platform Community September Webinar – YouTube

and the slides are here:

https://www.slideshare.net/directorcia/patron-power-platfom-community-september-2021-webinar

Let us know what you think and watch out for our new webinar in October.

All the Guards–Part 10

This article is a part of a series. The previous article can be found here:

All the Guards – Part 9 Control Flow Guard

In this article I’m going to summarise all the previously articles which included:

All the Guards – Part 9 Control Flow Guard

All the Guards – Part 8 DMA Guard

All the Guards – Part 7 Exploit Guard

All the Guards – Part 6 Application Guard

All the Guards – Part 5 Credential Guard

All the Guards – Part 4 System Guard

All the Guards – Part 3 Device Guard

All the Guards – Part 2 Virtualization Based Security

All the Guards – Part 1 Secure Boot

To successfully implement many of these you’ll need current hardware and an up to date version of Windows 10 Professional or Enterprise. The majority of protection is provided by virtualisation, which the device needs to support and have enough RAM (recommended minimum would be 8GB, but you can do it with less) to facilitate.

Configuration of these options can be handled individually but a better approach is to use a policy method such as via Microsoft Endpoint Manager across your fleet.

I have shared all the information I have found on these topics, hopefully in a manner that makes sense. Unfortunately, information about many of these technologies is not presented in a straight forward manner and in many cases, specifics are hard to find and confirm. Hopefully, however, there is enough information there to show you the benefits of implementing these technologies across your Windows 10 devices.

My advice, is that you look at implementing these technologies in the order that I have presented them to accommodate dependencies that exist. I have done exactly that in my production environment and now don’t even think about them.

So if you haven’t as yet implemented all the Guards that Microsoft has available, I’d encourage you to do so. The improvement in security it provides is worth the investment.

Displaying execution path in Windows Task Manager

image

I came across a handy tip recently that I thought I share.

When you use Task Manager in Windows, select the Details tab and then Right-mouse click on the headings to reveal the menu as shown above. From this menu choose Select Columns.

image

Scroll down the list of columns that appears and select:

Image path name

and

Command line

as shown above, then select OK.

image

As shown above, you should now see a column that displays the path to the executable for that task as well as a column showing the actual command line options required to run that task. This is a very handy option when you are troubleshooting tasks.

Verify Endpoint Manager Service release

image

To verify the release you are on with your Microsoft Endpoint Manager environment, navigate to:

https://endpoint.microsoft.com

1. Select, Tenant administration from the menu on the left.

2. Ensure that Tenant details is selected as shown above.

3. Look for the Service release heading on the right as shown above.

The version number here is also linked to:

What’s new in Microsoft Intune

which provides more granular information about what capabilities have been added to the environment.

Remember, these service updates occur regularly, so ensure you check the updates regularly.