Setting up PowerShell for use with Microsoft 365

This video will show you the process of setting up PowerShell on a new clean Windows 10 environment to support working with Microsoft 365. Basically, you grab my free set up script here –

https://github.com/directorcia/Office365/blob/master/o365-setup.ps1

and paste that into an elevated PowerShell window and run it. The required PowerShell cloud modules will then be installed into your environment, making it ready to connect to Microsoft 365, Azure, Intune, etc.

Here is a direct link to the video:

https://www.youtube.com/watch?v=UUb_lYxvlOc

Testing for CVE-2021-40444 vulnerability

There are current concerns around:

Microsoft MSHTML Remote Code Execution Vulnerability

which is yet to have a patch made available.

I found this excellent article:

CLICK ME IF YOU CAN, OFFICE SOCIAL ENGINEERING WITH EMBEDDED OBJECTS

which provide some PowerShell scripts to create Word documents that can be used to test for the vulnerability.

I have run these scripts to create the actual Word documents and uploaded them for you here:

Office365/example at master · directorcia/Office365 (github.com)

2021-09-11_10-21-14

In both cases, when you open these documents, you should NOT be able to get CALC.EXE to execute on your system unlike what you see above and below.

test2-screen

I have also added these tests to my security testing script which you can download from my GitHub repo here:

Office365/sec-test.ps1 at master · directorcia/Office365 (github.com)

image

When I opened these documents in my production environment, the vulnerability was largely blocked thanks to Windows ASR which I have detailed previously:

Attack surface reduction for Windows 10

You can use the follow KQL query as I did above to view the result of this blocking if you are using something like Azure Sentinel like I am:

Another great security add on for Microsoft 365

KQL:

DeviceEvents
| where ActionType startswith ‘Asr’

Testing for the PrintNightmare vulnerability

Taking inspiration from:

https://github.com/gentilkiwi/mimikatz/tree/master/mimispool#readme

I’ve updated my own security testing script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

to check for the PrintNightmare vulnerability.

The video

https://www.youtube.com/watch?v=LvmRlc40WWI

gives you a walk through of the process when you run my security testing script and results on a vulnerable system.


Security test script walk through video – Update 1

I have made some updates to my free security test script:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

The main improvement is the inclusion of a menu that allows you to select which test you want to run.

image

You can use the CTRL and SHIFT key to make multiple selections here.

The video also shows the results when the test script is run on a Windows 10 environment with Trend Micro and a Chrome browser.

Don’t forget to keep checking back for further script updates and improvements.

Security test script walk through video

I’ve create this video to give you a basic walk through of the free security testing PowerShell script I’ve created. You’ll find the script here:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

In the video you’ll see how to quickly get and run the script as well the results it generates on a stand alone Windows 10 device.

Apart from Windows 10, PowerShell and Word there are no special requirements and it can be used on stand alone, domain or Azure Ad joined, etc. It doesn’t matter. It is designed to help you better evaluate your security posture.

Is security working? PowerShell script

I was inspired by this article:

How to make sure your antivirus is working without any malware

to create an simple automated process to test security settings and alerts for the Microsoft Cloud environment. I have thus created this script:

https://github.com/directorcia/Office365/blob/master/sec-test.ps1

which you can download for free from my Github repo.

You can run the script by launching PowerShell and running

.\sec-test.ps1

image

You don’t need to run the script as an administrator or with elevate privileges.

The first thing the script will attempt to do is download the EICAR testing file and save it locally as a file called eicar.com.txt.

image

Your security should prevent this and that file should not appear on your machine, which the script will verify, as shown above.

image

Your environment should also generate some sort of alert. In my case, one such alert appeared in Azure Sentinel.

image

Next, the script will attempt to create a new file in current directory called eicar1.com.txt with a signature that should be detected by your environment.

The script will then check the local Windows Defender logs for mention of the file eicar1.com.txt. If you are using a third party AV solution you’ll need to manually dig around in the logs to confirm this action has been detected. However, if you use Windows Defender, I have done that for you as you see above. The results are returned in order with Item 1 being the latest.

image

The script will then check to see whether the file eicar1.com.txt has been created. In most cases, the file will exist but it should be of zero length ensuring the creation process was terminated. If the eicar1.com.txt file exists and does not have a length of zero, then you’ll need to take action.

image

Next, the script will attempt to do a process dump for LSASS.EXE. To achieve this you’ll need to have SysInternals Procdump in the currently directory. If procdump.exe is not located in the current directory, you’ll be prompted to download it into the current directory.

The script will then try a process dump of LSASS.EXE using the command:

.\procdump.exe -ma lsass.exe lsass.dmp

The dump process should fail as shown above.

image

The final check is to prompt you for an email address and then attempt to login to Microsoft 365 using this.

image

Doing so should generate a log or alert as shown above that you can view and verify.

The aim of the scripts is largely to check that your security configuration is correctly enabled and configured. Generally, all the tests here should fail and all should report some where that can review to ensure your configuration is correct. Remember, good security is not to ‘assume’ and never test, it is to regularly test and understand where to look for specific types of alerts.

As I come up with more things to test, I’ll add them to the script, so make sure you check to see whether I have updated it in the future.

Using the Defender for Endpoint API and PowerShell

The Microsoft Defender for Endpoint API is now available. More details can be found here:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/management-apis?view=o365-worldwide

Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities.

In essence, you can now manipulate Defender for Endpoint capabilities using a tool like PowerShell. I’ll show you how to get started.

The first thing you’ll need to do is create an Azure AD app in the destination tenant. I’ve covered off how to do this via the web interface here:

https://blog.ciaops.com/2019/04/17/using-interactive-powershell-to-access-the-microsoft-graph/

and using a PowerShell script I wrote here:

https://blog.ciaops.com/2020/04/18/using-the-microsoft-graph-with-multiple-tenants/

You’ll also need to provide this Azure AD app the appropriate permissions in the Defender for Endpoint API (as well as have a license for Defender for Endpoint in your tenant). To do this, navigate to the Azure AD app you just created and follow the process to add an API permission (you’ll see this process in the above blog posts).

image

You’ll need to however select APIs my organization uses from the menu, and then search for WindowsDefenderATP as shown above to locate the right API.

image

Now select Application permissions on the right from the screen that appears as shown above.

If you have a look at the:

Export software vulnerabilities assessment per device

You’ll see in permissions:

image

You’ll see the permission required for this process is Vulnerability.Read.All.

image

Search for, and select this Vulnerability.Read.All permission in the list as shown above and select it. Scroll down to the bottom of the page and select the Add permissions button to complete the process.

image

Select the Grant admin consent for <tenant> option at the top now to apply these permissions you have just selected to add to this Azure AD app.

In summary, an Azure AD app is used to provide access to the Defender for Endpoint API. This access also requires the appropriate permissions be assigned to that Azure AD app for the Defender for Endpoint API.

When the Azure AD app was initially created the following parameters should have been available:

1. Client (or Application) ID

2. Tenant ID

3. Client (or Application secret)

You’ll need to enter these into the script I have created here:

https://github.com/directorcia/Office365/blob/master/endpoint-api-svbm.ps1

around line 20:

image

Ensure your values these are kept secure! I have discussed ways of doing this using the Azure Keyvault or encrypted XML files previously.

image

After inserting your own Azure AD app values into the script, and running the script you should see the results like that shown above. The output is a list of software vulnerabilities by machine in your Defender for Endpoint environment sorted by machine name and last seen timestamp.

The Defender for Endpoint API has lots of options as you can see here:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-list?view=o365-worldwide#in-this-section

You may need to repeat the process of assigning permissions to your Azure AD app to execute other API commands remember. However, being able to access this information via an API makes it easy to import into things like Power BI and Power Automate as well as access multiple tenant with a single script. Hopefully, this article give you a place to start accessing all the Defender for Endpoint information programmatically.