MDATP Best Practices

    1. Why? The first step in many APT attacks is to use a ‘Dropper’ to disable Antivirus or other security settings via the registry, PowerShell, GPO, etc.
    2. This is a Microsoft Defender feature that does not require Windows 10 E5, but if you have E5 then you can leverage Intune to prevent the user from disabling this feature. The benefit of requiring Intune is that it abstracts the ability to disable antivirus to a separate management stack. Otherwise the attacker could use several methods of disabling AV. This advanced feature requires Windows 1903 or higher.
    3. Using Intune Device Profiles:
  • Create a profile that includes the following settings:
  • Platform: Windows 10 and later
  • ProfileType: Endpoint protection
  • Settings > Windows Defender Security Center > Tamper Protection

 

    1. ASR Rules are a feature of Windows 10 E3 and Windows 10 E5. The E5 version adds two unique rules that are not available in the E3 version.
    2. ASR rules can be enabled without MDATP, but the benefit of using MDATP is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
    3. ASR Rules are branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and Network Protection.
    4. Some of the ASR rules require cloud-delivered protection to be enabled. Read the ASR documentation page to identify important caveats before enabling ASR.
    5. The ASR Rule “Executables that don’t meet a prevalence, age, or trusted list criteria” examines .exe, .dll, .scr to determine if they are in a whitelist that MSFT maintains, and there is no way to add exclusions, so we recommend setting this rule to Audit mode.
    6. In Intune, navigate to Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Attack Surface Reduction.
      1. I recommend enabling them all to Block or Enable with the exception of “Executables that don’t meet a prevalence, age, or trusted list criteria” (Set that one to Audit mode)

       

    1. This is a series of configuration items that submit a new executable or script to cloud. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone
    2. You can configure this using Intune, SCCM, or Group Policy.
    3. In Intune, navigate to Device configuration – Profiles > Profile name > Device restrictions > Windows Defender Antivirus.
  • Cloud-delivered protection: Enable
  • File Blocking Level: High
  • Time extension for file scanning by the cloud: 50
  • Prompt users before sample submission: Send all data without prompting
  • Submit samples consent: Send all samples automatically
  1. Enable MDATP Sample sharing for all files
    1. In Intune, navigate to Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Sample sharing for all files > Enable
    2. In Intune, navigate to Device configuration – Profiles > Profile name > Microsoft Defender ATP (Windows 10) > Expedite telemetry reporting frequency > Enable
    1. Create a Role Group in MDATP Settings > Permissions > Roles (select a group)
    2. Create a MDATP machine group, set it to all machines, and assign it to Full – Remediate threats automatically
    3. Enable Automated Investigation in MDATP Settings > Advanced Features
    4. Enable *all* of the MDATP Settings > Advanced Features (or as many as you are licensed for, ex: Azure ATP, Intune, MCAS, etc).
  2. Block Manual Intune Unenrollment
    1. In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Manual unenrollment > Block
    2. In Intune, navigate to Device configuration – Profiles > Profile name > Device Restrictions > General > Direct Memory Access > Enabled
    1. Network protection expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
    2. Network Protection is branded as part of “Microsoft Defender Exploit Guard” which is a series of Windows 10 security features including Controlled Folder Access, Exploit Protection, and ASR rules.
    3. Network Protection can be enabled without MDATP, but the benefit of using MDATP is the centralized reporting, otherwise the audits would be decentralized in the local event viewer.
    4. In Intune, navigate to Device configuration – Profiles > Profile name > Endpoint Protection > Microsoft Defender Exploit Guard > Network Filtering > Network Protection

I will be updating this blog periodically as I encounter additional settings that are particularly helpful for blocking threats.

Disclaimer: This is for educational purposes only, you assume all risk for testing these in your lab first before deploying to production.