MVP 2022-23

image

I am once again happy to report that I have been renewed as an MVP for 2022-23. This is now my 11th year as an MVP and I am honoured to have been recognised.

Many people are not aware that the MVP award is annual. It isn’t something you ‘apply’ for, it is given is recognition of the work you do from the community around a Microsoft product or service in the previous year. For me, that is Microsoft 365. Thus, to continue to be recognised as an MVP you need to make relevant community contributions annually.

As always, I take this opportunity to thank Microsoft for this award. I have made so many great contacts there that help me every day in all sorts of ways. I am truly grateful for their assistance. Of course I also thank other members of the MVP community who also help me everyday by providing information that I simply couldn’t find elsewhere. Their real world application and implementation of Microsoft technologies is amazing! Finally, there is community of people using and implementing Microsoft cloud technologies that continue to provide real world questions that challenge me to assist and find solutions for. For all these people I also say thanks because this is where the rubber hits the road.

Hopefully, as we move to a world that is more open, it will be possible to once again travel and catch up with all these marvellous people face to face and strengthen the bonds that we have and share yet more information that I can then provide to my community, again face to face I hope.

Again I say thanks for the recognition and being award as an MVP for another year and I’m ready to continue to share my learnings and knowledge with the community at large.

ANZAC Day 2022

Today we take a moment to commemorate ANZAC day here in Australia. It is probably the one day that truly unites unites Australia. This is largely due to it harking back to a time when Australia came together as a nation for the first time. The benefit of historical hindsight may question the value of that military action all those years ago but the core values that came from that are what should be celebrated. It cemented the bond between unknown individuals who came together in truly terrifying circumstance to survive, flourish and in many ways, give birth to a nation on the back of their commitment to each other.

The actions all those years ago, across many battlefronts, brought many Australians face to face with other Australians they would have probably never met had the circumstances been different. It thrust them into life and dead experiences that many would have never expected. It thrust the average Australian into circumstances that would truly demonstrated man’s inhumanity to man. Yet, through all this adversity, Australians began to forge a bond, a concept of mateship, that lives on today.

This is something that perhaps we now need more than ever as we face an uncertain and divided world. The past few years have seen many live through life changing and unexpected circumstances that have irrevocably altered our community and the world. They have perhaps, cemented the fragility of life in people’s mind and hopefully made them appreciate how truly lucky we are every day. Our celebration today should look to the example these people provided us all those years ago.

Of course, not everyone is lucky. As with that day back in 1915, many paid the ultimate price and had their lives cut sort by simply being in the wrong place at the wrong time. A unique fact about Australian troops throughout World War One was that they were a total volunteer force. Each one, chose to be there. Many chose to remain, through the horrors of war, to be with their mates and do what they could for each other above all else. Today we also remember those in our community that continue to live and demonstrate that spirit to service.

This is the sacrifice and commitment we honour today. It is about what people do for others. It is about what people did that they thought was right. It is about what people did for what they believed was the greater good. You can judge their motives and ideals through the lens of history but you can’t question their devotion to each other and to their commitment. Today, we celebrate their devotion to each other.

Their hope, after enduring war, was that no one else would have to go through the same experience. The ‘war to end all all wars’ as it was known, sadly did not eventuate. That failure lies on the shoulders of modern society, who do not readily learn the lessons of history. Who lets their world view become full of negativity, impatience, violence and revenge all too readily. We should take a leaf from our ANZAC forebears and focus on what is truly important, our mates.

Lest We Forget

If you want to learn more about the ANZAC battlefields in northern France, visit my web site – www.anzacsinfrance.com.

Offboarding devices from Microsoft Defender for Business using an API with PowerShell

I have detailed how you can offboard Windows 10 devices from Microsoft Defender for Endpoint using an Intune policy here:

Offboarding Windows 10 devices from Microsoft Defender for Business

You can also offboard all devices centrally using an API and PowerShell quite easily.

The first thing you’ll need to do is create an Azure AD app in the destination tenant. I’ve covered off how to do this via the web interface here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

You’ll also need to provide this Azure AD app the appropriate permissions in the Defender for Endpoint API to offboard devices (as well as have a license for Defender for Endpoint in your tenant). To see how to set these permissions you can review my previous article:

Using the Defender for Endpoint API and PowerShell

image

To permit device offboarding you’ll need to provide your Azure AD application with these additional permissions from the Defender API as shown above:

Machine.Offboard

Machine.Read.All

Machine.ReadWrite.All

Don’t also forget to consent to these after you have added them.

In summary, an Azure AD app is used to provide access to the Defender for Endpoint API. This access also requires the appropriate permissions be assigned to that Azure AD app for the Defender for Endpoint API to offboard devices.

When the Azure AD app was initially created the following parameters should have been available:

1. Client (or Application) ID

2. Tenant ID

3. Client (or Application secret)

You’ll need to enter these into the script I have created here:

https://github.com/directorcia/Office365/blob/master/mde-apioffboard.ps1

around line 35:

image

Ensure your values these are kept secure! I have discussed ways of doing this using the Azure Keyvault or encrypted XML files previously.

image

After updating the values in the script and running it, the script will firstly get a list of all the devices currently onboarded with Defender for Endpoint.

image

You should then be presented with a list of devices currently onboarded to Microsoft Defender for Endpoint as shown above. Select the device or devices you wish to offboard. Multiple selections are available here using the CTRL and SHIFT plus select. When the selection is made press the OK button to continue.

image

The devices selected will then be offboarded via the API. As you can also see above, if a device has already commenced the offboarding process you will receive a warning.

Although using an API to offboard devices is no faster than using an Intune policy or a local script, it still provides a handy centralised approach for offboarding management.

If you also have a look at this article I wrote:

Using the Microsoft Graph with multiple tenants

you’ll probably see how you can easily extend this script so that it enables you to offboard devices from multiple tenants. I have already done this and that premium script is available for CIAOPS Patrons.

Once you have an Azure AD application in place within your tenant with the appropriate permissions, offboarding devices from Microsoft Defender for Endpoint via an API is pretty straight forward. Hopefully, my free script takes care of most of the heavy lifting for you as well making it a simple process to select and offboard devices for Microsoft Defender for Endpoint in any number of tenants you manage.

More security testing options with sec-test

image

I’ve added three more security testing options to my free script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

The Word document Backdoor drop will download and open a Word document that contains a macro that will itself, download an EXE file to the desktop.

The PowerShell script fileless attack if successful will open Notepad.exe on the device.

The Dump credentials using SQLDumper.exe will download the SQL utility SQLDumper.exe and use that to try and dump the credentials from the the system LSASS.EXE process.

All the tests are benign and designed to firstly, test your environment again common breach techniques and secondly, to generate alerts in your environment to ensure your protection is correctly configured.

It is getting hard for me to determine all the outcomes of these tests, so I’d love to hear any feedback you have on your own results so I can improve the script. Also, if you have any suggestions for what tests you’d like to see included please let me know.

We shall remember them

It is time to pause and reflect on the sacrifices of others. Many of these, unfortunately, go unnoticed and unappreciated. The good thing is most sacrifices are not made with a desire of repayment, they are freely given.

Over 100 years ago our nation, along with many others, sacrificed the lives of millions of people in what is commonly referred to as the Great War. Yet, immediately after that sacrifice, a greater of lives were lost to the Spanish Flu.

The outcome of both events was the same for many. Death. This is also something that all of us have in our future. It is a certainty, yet we spend our whole lives avoiding the acknowledgement that our time is limited. For many, it came much sooner than they expected and in places they didn’t expect.

As we enter a world that is opening up after this generations’ pandemic, we should turn and examine the lessons of history. It wasn’t that long after the Great War and the Spanish Flu that the world was plunged yet again, into another global war that slaughtered yet more millions of people.

The moral is that appreciation for what we have is something worth contemplating. A great way to acknowledge this gift is to sacrifice for others. It is not the amount or value of the sacrifice that matters, it is the effort of that sacrifice that makes it worthwhile for both giver and receiver.

Today, we take a moment. In silence, and remember the many that provided the ultimate sacrifice for us to live with the benefits we experience today. As much as we need to thank those who gave to us, we must provide for those who are to come. We should look to build on what those before gave to us. That is the best way to demonstrate our gratitude.

The world and people in it are far from perfect, but if they have anything in common it is a sense of where they are right here, right now. That is not a result of their own designs. It is the  integration of their intention and the sacrifices of others.

To those that served us, and continue to serve us. Whether on the battlefield or in a hospital, directly or indirectly. Thanks. Your efforts have made a difference far beyond what you will ever appreciate.   

Displaying execution path in Windows Task Manager

image

I came across a handy tip recently that I thought I share.

When you use Task Manager in Windows, select the Details tab and then Right-mouse click on the headings to reveal the menu as shown above. From this menu choose Select Columns.

image

Scroll down the list of columns that appears and select:

Image path name

and

Command line

as shown above, then select OK.

image

As shown above, you should now see a column that displays the path to the executable for that task as well as a column showing the actual command line options required to run that task. This is a very handy option when you are troubleshooting tasks.

I need help with Windows Defender System Guard

I need some help in my question to enable Windows System Guard in my environment. If you want to know what it is see:

Hardening the system and maintaining integrity with Windows Defender System Guard

and the Microsoft article is here:

Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10

and in summary Windows System Guard is:

Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
– Protect and maintain the integrity of the system as it starts up
– Validate that system integrity has truly been maintained through local and remote attestation

I enabled it using the techniques in this article:

System Guard Secure Launch and SMM protection

To verify it is enabled 9according to the article) you check MSInfor32 and you should see:

image

i.e. Secure Launch appear in both:

1. Virtualization based Security Configured

and

2. Virtualization based security Services Running

image

However, in my case I don’t see it appear under Virtualization based security Services Running as you see above?

Now, the Microsoft article does say:

image

Credential Guard is definitely running per my MSInfo32

image

To check Virtualization Based Security I can run the command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard


and I see the following:

image

According to the documentation,

image

if VirtualizationBasedSecurityStatus = 2 then:

VBS is enabled and running

Now, if I look at the SecurityServicesRunning field I see:

image

only Credential Guard and HVCI running per:

image

i.e no System Guard Secure launch. This confirms what I see in MSInfo32.

Verifying Device Guard is where things get challenging, because this:

Why we no longer use the Device Guard brand

seems to indicated the device Guard is now Windows Defender Application Control (WDAC)??

However, there is this article:

Windows 10 Device Guard and Credential Guard Demystified

from early 2021 talking about Device Guard?? Here, Device Guard is:

Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system

Device Guard consists of three primary components:

  • Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.

  • VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.

  • Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

According to that article the CCI is located at:

Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy

image

But I can’t see that on my machine as shown above??

I can’t see how to specifically enabled VSM Protected Code Integrity, I can only find:

Code Integrity

Finally, my machine does have UEFI and secure boot enabled:

image

The last piece of the puzzle is a service called Secure Launch:

image

which I have running and seems to be linked to System Guard but I can find no confirmation of what this service actually does??

In summary, I am at a loss to understand why my machine seems to not have System Guard enabled even though it is capable it seems. I feel confident that I do have all the requirements in place but the Configurable Code Integrity (CCI) may be the issue but I can’t find anything on how to configure that.

My ask then, is if you have any information on helping me get System Guard working on my machine or help me understand why it isn’t working I’d appreciate it as I have drawn a blank with all my other sources.