Work and live with IT

/en/speaking-trust-tech-cologne-feodo/images/Preview.jpeg

Speaking @ Trust in Tech Cologne

Fabian Bader published on 2021-12-07 included in User Group

On Tuesday, December 14th, I will be speaking at the Trust in Tech Cologne virtual meetup. The topic of my talk is “Protect your endpoint from known C2 Feodo servers”. Abstract As Emotet is back from the dead the cyber security landscape is getting even more dangerous as before. Thankfully open projects like Feodo Tracker provide information about active C2 servers. Learn how you can utilize the provided Indicators of Compromise, Microsoft Defender for Endpoint and Azure Automation to add an additional layer of security for your endpoints.

/en/jit-role-assignment-microsoft-defender/images/PIMMicrosoft365Defender.png

Just-In-Time role assignment in Microsoft Defender

Fabian Bader published on 2021-11-29 included in Azure AD Entra ID Identity and Access Security Defender for Endpoint

For a long time assigning multiple Entra ID (Azure AD) roles to a user was a tedious task in not done via a script. Every role assignment had to be made separately. This also made it hard to change role assignments for a group of people. That all changed when Microsoft introduced Entra ID (Azure AD) role-assignable groups. It is now possible to assign multiple roles to one group and add the users to this group.

/en/manage-group-policies-powershell/images/Preview.png

Manage group policies with PowerShell

Fabian Bader published on 2021-11-22 included in Active Directory GPO PowerShell HHPSUG

Despite Intune, DSC and Azure AD; group policies are still a widely used method to manage Windows clients and servers in many companies. However, the MMC is not really suitable for managing several hundred GPOs. But that’s what PowerShell is designed for.

/en/alert-sensitive-ad-groups-mdi/images/Preview.png

Alert changes to sensitive AD groups using MDI

Fabian Bader published on 2021-11-05 included in Active Directory Defender for Identity Identity and Access Advanced Hunting KQL

Microsoft Defender for Identity is a very powerful tool when it comes to track changes to users and groups in your on-prem Active Directory. When used in combination of the advanced hunting capabilities available in the Microsoft 365 Defender portal and custom detection rules you can very easily automate the change tracking. If you protect any on-prem Active Directory, you should be aware to changes to any privileged groups. Microsoft itself list a few of them in their documentation on Active Directory Domain Services and in the Defender for Identity documentation adds additional ones.

/en/automated-response-c2-traffic-devices/images/Preview.png

Automated response to C2 traffic on your devices

Fabian Bader published on 2021-10-18 included in Defender for Endpoint Security Advanced Hunting KQL

The Feodo Tracker from abuse.ch provides a list of active ip addresses that are used for C2 servers. With MDE and a bit automation you can easily block your clients connecting to those servers and get an alert if they do.

/en/defender-identity-npcap-windows-server-2022/images/Preview.png

Defender for Identity, Npcap on Windows Server 2022

Fabian Bader published on 2021-10-05 included in Defender for Identity Security Windows Server

Microsoft Defender for Identity is a very useful tool for gaining deep insight into an Active Directory environment. The agents installed on each domain controller collect information directly from the server’s network traffic and forward it to Microsoft Defender. For this analysis, the agent uses the WinPcap driver by default. This leads to the following error message on a Windows Server 2022 even under moderate load: However, the CPU, RAM and network load of the affected domain controller is not particularly high.