What happened to Defender running in a Sandbox? MP_FORCE_USE_SANDBOX

A colleague asked me today “Does Microsoft Defender run itself in a sandbox by default, or does that need to be manually enabled?”

He was referring to a breakthrough feature first announced (here) two years ago (10/26/2018)

We all know Defender can detonate files in a cloud sandbox – but we are talking about Defender running *itself* (MSMPENG.EXE) inside a sandbox.

This was a big deal at the time it was announced, because Defender was the first Antivirus product to run *itself* in a sandbox. I had read reports that 30% of all malware targeted security software since it runs with such high privileges, so this was and is a very big deal.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event that Defender itself has vulnerabilities and becomes compromised, malicious actions are limited to the isolated environment, protecting the rest of the system from harm, since Defender runs with such high system privileges.

This feature is enabled with a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and then restarting the machine (System requirement: Windows 10, version 1703 or later)

How can I tell if Defender is running itself in a Sandbox? Check task scheduler and if you see “CP.exe”


Sysinternals will show “App Container” 


You can also run CMD.exe followed by the SET command by itself to see if the environment variable is present:


So the question is, has Microsoft now built this into the operating system by default?

I created some fresh Win10 VM’s with Defender and did not see the CP.exe tailing process name.

So my big question is: why after two years hasn’t it been turned on by default? Is Microsoft aware of any risks or problems when this is enabled? And why is there no MEM/Intune configuration to enable this setting?

Defending against Pass-the-PRT

The Azure AD Primary Refresh Token (PRT) can be extracted using ROADtools, written by security researcher Dirk-jan Mollema and recently weaponized into Mimikatz by Benjamin Delpy.

With local Administrator privileges it becomes possible to extract the PRT and the required cryptographic material to sign in on any Azure AD connected resource with the account to which the PRT was issued. The PRT is valid for 14 days and can be used on any device in this time-frame. Any MFA claims that were assigned to the PRT remain valid as well.

It’s important to understand exactly how this attack works so that you can test your defenses against it. You should never assume that your defenses are adequate. Just like a backup is not good unless it is restored, your defenses are not good unless you test them frequently and thoroughly.

A PRT is only issued to native apps (like the full Outlook client) on Azure AD Registered, Azure AD Joined, or Hybrid Azure AD joined devices. A browser session on a workgroup machine will not receive a PRT. To learn more about how PRT’s are issued, see this article: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

The attacker runs a few mimikatz commands:



The PRT can then be imported into Chrome as a cookie:


And this allows the attacker to sign in as the user, even if their device is not Intune compliant or Hybrid Azure AD joined.

Defending against Pass-the-PRT

There are ~15 Attack Surface Reduction Rules (ASR) in Windows 10. The following rule can be enabled in Audit or Block mode. We strongly recommend Audit mode first because Block mode may block legitimate processes that you will need to exclude before deploying this in production. On a single test machine you can run this command for audit mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode

And this command for block mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

And when this ASR rule is enabled, we can see that Mimikatz is unable to dump the PRT


Normally this should get logged as Event 1121 (Block) or 1122 (Audit) in the Event Viewer: Microsoft-Windows-Windows Defender/Operational

Or if you have Microsoft Defender ATP then in the Timeline view you can filter on ASR Events:



1. Do not grant users local administrator privileges

2. Enable Tamper Protection in Windows Defender. It is more difficult for Mimikatz to run when Defender AV is running.

3. Enable Attack Surface Reduction Rules (ASR)  to block access to LSASS.exe

Switch from ADFS to Azure AD

A surprising number of clients are still operating complex ADFS farms.

ADFS Complexity 

Here are 8 reasons to switch to Azure AD.

1. ADFS has a greater surface attack area than Azure AD. Example: NTLM Brute-Force (CVE-2019-1126).

2. ADFS can have multiple single points of failure unless designed properly

3. ADFS requires certificate maintenance – resulting in planned downtime

4. ADFS requires lots of IT overhead (Backups, Monitoring, OS Upgrades, etc)

5. Azure AD Conditional Access offers better security controls than ADFS Claims

6. Azure AD is lightweight and less complex to administer (No Claims Rules)

7. Azure AD more closely aligns to NIST 800-63b (Scan for breached passwords)

8. Azure AD has a better feature roadmap

It’s easy to switch from ADFS to Azure AD. For example, this one PowerShell command can migrate Office 365 from ADFS to Cloud in less than 5 minutes. Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication Managed

You can also do a staged rollout of smaller groups at a time rather than a big bang cutover using (the first security group is limited to 200 users). Learn more about staged rollout (here).

Note: That’s the core command that moves the trust from ADFS to Azure AD. There are more planning steps involved like making sure you have enabled password hash sync. Learn more planning steps (here).

Here are 5 tips for moving other apps from ADFS to Azure AD

  1. Use the new ADFS Application activity report (preview) or the ADFS to Azure AD app migration tool to analyze your current apps. This tool will quickly identify which apps can be migrated seamlessly and which require remediation (see figure one).
  2. Acquire deployment guides for the relevant apps. Many are published on the Microsoft app gallery, but if not, you can open a ticket through the third-party vendor who developed the app.
  3. Allocate appropriate time and resources to the high-touch apps.
  4. Migrate the apps that are ready to go for quick wins.
  5. Identify a test environment or plan a maintenance window to avoid moving large servicing app at peak usage.

Learn more here:


What is Double Key Encryption (DKE)?

Today Microsoft announced the public preview of Double Key Encryption (DKE).

What does “Double Key” mean? It’s similar to a missile launch where two people must turn their key at the same time. In the case of encryption, it is the combination of two keys held by separate parties that encrypt or decrypt data.


Or to quote Microsoft:

“Double Key Encryption enables you to protect your highly sensitive data while keeping full control of your encryption key. It uses two keys to protect your data—one key in your control, and a second key is stored securely in Microsoft Azure. Viewing data protected with Double Key Encryption requires access to both keys. Since Microsoft can access only one of these keys, your protected data remains inaccessible to Microsoft, ensuring that you have full control over its privacy and security.”

Your Client Key is hosted outside of Microsoft (wherever you want) via a web service that you are responsible for hosting. If your web service goes down (intentionally or unintentionally) then no new data can be encrypted or decrypted.

This is similar to its predecessor, Hold-Your-Own-Key (HYOK) which I assume DKE will eventually replace at some point in the future. Except there is one big advantage: Unlike HYOK, DKE does not depend upon on-premises Active Directory Rights Management Services (AD RMS). So it is a simpler configuration.

Is DKE right for me? Most likely not. It’s intended for some super rare scenarios that very few clients have. There are serious productivity limitations to DKE that are nearly identical to HYOK, where many features inside Office 365 and other services will not function such as SharePoint Search, eDiscovery Search, Data Loss Prevention, Transport Rules, Exchange ActiveSync, Journaling, Malware scanning, Archiving Solutions and any other services that needs to read data such as 3rd party document management systems.

Therefore customers should carefully evaluate all key options before proceeding with DKE (see table below).

What if I lose my key? Your data is inaccessible, and there is no ‘back door’ key like the ‘Availability Key’ feature in BYOK that allows Microsoft to decrypt data if you lose your BYOK key.

Encryption Key Comparison



Double-Key Encryption (NEW) BYOK

Managed Key

Can Microsoft Read the Encrypted Data? No No Yes Yes
AD RMS Required? Yes No No No
100%Cloud Hosted No No Yes Yes
On-Prem or Cloud
DMZ Req?
No Yes No No
HSM Req?
Yes Yes Yes No
ActiveSync Support No No No No
Exchange On-Premises IRM No No Yes Yes
Outlook Mobile No No Yes Yes
OWA No No Yes Yes
Office Mobile


Yes (Consume Only) Yes (Consume Only) Yes Yes
Mac OSX Yes (Consume Only) Yes (Consume Only) Yes Yes
SharePoint Search No No Yes Yes
Key Strength RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

RSA 2048-bit (Key Exchange)

AES 128 (Wrapping)

SHA 256 (Signing)

(FIPS 140-2)

External Collaboration No No Yes Yes
Office Client Support Office 2013 + Office Insider* Office 2013 + Office 2010 +
Auditing Yes Yes Yes Yes

Office Insider is required at the time of this writing (July 2020) but eventually it will roll out to Office versions in mainstream support.

Initially at the time of this writing, the AIP Unified Labeling Client is required to encrypt/decrypt content. It will eventually be available natively in the Office Ribbon.

Additional Resources

Blog Post: https://aka.ms/DKEpreview
Deployment Docs: https://aka.ms/DKEpreviewdocs
Github Repo: https://aka.ms/DKErepo
Update [10/22/2020] Host DKE on IIS, using an on-premises server – Microsoft Tech Community

July 2020 Major Vulnerability Roundup

Palo Alto CVE-2020-2021

If you have SAML enabled on your Palo Alto, a CVE Severity 10 Critical vulnerability allows remote unauthenticated access

Citrix (Multiple CVE’s)

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.


F5 (CVE-2020-5902)

If you have F5, and haven’t patched, treat it as incident response at this point as public exploits are available. There was also a new bypass discovered.


Google is rolling out an important software update for Chrome browser—version 83.0.4103.106 for Windows, Mac, and Linux—that includes security patches for 4 high-severity vulnerabilities.

SAP (CVE-2020-6287)

A new critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, was found in SAP impacting 40,000 customers. At least 2,500 customers in the United States that have internet facing SAP are impacted.

According to an alert from the Department of Homeland Security, successful exploitation of the bug opens the door for attackers to read and modify financial records; change banking details; read personal identifiable information (PII); administer purchasing processes; sabotage or disrupt operations; achieve operating system command execution; and delete or modify traces, logs and other files.

Cisco CVE-2020-3297

The flaw ranks 8.1 out of 10.0 and could allow remote, unauthenticated attackers to access the switches’ management interfaces with administrative privileges.



AVANAN announced “SYLKin Attack” which claims to bypass M365 security.

You can block .SLK attachments with the Set-MalwareFilterPolicy PowerShell command, or Exchange transport rules.

Patch Tuesday (7/14/2020) included a fix for a wormable RCE vulnerability in Windows DNS that should be patched ASAP. (CVE-2020-1350)

Microsoft pushed out two emergency security updates to fix remote code execution bugs in Microsoft Windows Codecs Library.

These patches come weeks after Microsoft’s regularly scheduled June Patch Tuesday, where it released patches for 129 vulnerabilities – the highest number of CVEs ever released by Microsoft in a single month. Within the blockbuster security update, 11 critical remote code-execution flaws were patched in Windows, SharePoint server, Windows Shell, VBScript and other products. Unlike other recent monthly updates from Microsoft, its June updates did not include any zero-day vulnerabilities being actively attacked in the wild.

Using Intune to Deploy MDATP to Mac OSX in 7 clicks

Got Mac OSX? Are they enrolled into Intune? If so, then deploying Microsoft Defender ATP (MDATP) to these devices is done in 7 easy clicks.

Start off by browsing to Microsoft Endpoint Manager at https://endpoint.microsoft.com





Yes, that was easy, however, the fine print is you first must deploy a kernel extension profile *BEFORE* the 7 steps above, otherwise the user will see “System extension blocked.”

If for some reason you missed that step, users must approve the extension manually by going to Security Preferences > Security & Privacy on the Mac and select Allow.

Other helpful scripts and tips are available on the Microsoft blog (here).

Fortune 500 Email Security Vendor Market share

Which email security vendors are gaining or losing market share? About a year ago I wrote an article (here) detailing how to use PowerShell to crawl the public DNS records of the Fortune 500.

So 12 months later, Microsoft has decreased 12% and Proofpoint has increased 12%. Cisco also had an 18% increase in market share. 


MDATP and THOR–A Powerful combination

Microsoft Defender Advanced Threat Protection (MDATP) is an extended detection and response (XDR) solution, a kind of SHIELD, that combines protection for endpoints (Microsoft Defender ATP), email and productivity tools (Office 365 ATP), identity (Azure ATP), and cloud applications (Microsoft Cloud App Security/MCAS), and many 3rd party solutions like Nextron Systems THOR APT Scanner. As customers face attacks across endpoints, cloud, applications and identities, MTP looks across these domains to understand the entire chain of events, identifies affected assets, like users, endpoints, mailboxes, and applications, and auto-heals them back to a safe state.

Basically, it’s very similar to how S.H.I.E.L.D needs the Avengers to carry out missions. Do you see what I did there? (Thor is an Avenger).

This blog post is about the 3rd party aspect of the XDR when MDATP can tap into THOR to use 12,000 YARA rules from Nextron Systems.

How do you get your hands on YARA rules? Well, you can write your own, but that could take you years to map out all the known threats out there. Or you can purchase a tool like THOR from Nextron Systems, which integrates with their database of 12,000+ YARA rules. The strength of their particular rule set is that it focuses detecting APT threat groups, and over 1,500 web shells. Most EDR systems miss the web shells that these YARA rules detect.

Nextron has previously published their integration capabilities with MDATP on their blog (here) and I highly recommend you check it out.


In this blog post, we are going to try out the newest integration from Nextron, which features their THOR Cloud scanner. This was EASY! From start to finish it took me less than 5 minutes. You simply download the PowerShell script from Nextron, which is generated to include the license key, upload that script into MDATP’s Live Response, and in less than one minute, get a report back on any matches that were found from the THOR scan. The default configuration, quick scan, can be modified to include additional modules such as Registry and Process, but this will increase the scan time from 1 minute to ~15 to 20 minutes. A scan of the entire file system and event log could extend the time to 40 minutes to 3 hours depending on the number of files and types of contents. I recommend getting started with quick scan first so you can see how it works. If you decide to make changes, here is a screen shot of the section of the script you can change:


Step 1. Obtain a license key from Nextron.

Note: This blog post will be updated with more details about an upcoming webinar in June, 2020 featuring Florian Roth (@cyb3rops)

Step 2. Launch MDATP Live Response Session

Note: As of April 6th, Live Response now runs on Windows 10 1709 or newer (it was previously only available on 1903 or newer). Make sure you have Live Response and Custom Scripts enabled in MDATP (they are off by default). You’ll need to enable, at least, the minimum Remediation Level for a given Machine Group.


Upload the thor-seed.ps1 file that you obtained from Nextron.




The scan completed in just under one minute. Very fast, when you consider it used over 12,293 YARA rules!


It produced a handsome HTML report in C:\ProgramData\thor


I first ran this on a clean system to create a baseline, I wanted to make sure I didn’t get too many false positives on a machine I expected to be clean. It was very accurate, because it detected TOR but no other false indicators.


On another system I tried, it reported a file containing dumped password hashes, created from Gsecdump (developed by Johannes Gumbel).


Here is an example of PSEXEC.exe being found even though it was renamed to 2.exe


After the scan completes, it provides hints on the syntax to remotely retrieve the HTML report and detailed TXT files from the remote system, and then remove them with the remediate command.


If you run the scan twice, you need to first remove the prior HTML and TXT files. If you use the Remediate command, it will create a pop-up on the target machine that the file was removed.


Another interesting lesson I learned is that even if you delete the HTML report, if you download it a second time, Defender will still grab a cached copy from the first download


I believe adding the timestamp to the file name should eliminate this cache problem.

Overall, I would highly recommend this whenever you are investigating a threat with MDATP because many of these YARA rules detect threats that are not yet found in VirusTotal. These YARA rules from Nextron effectively extend the MDATP detection capabilities as shown below. For example, the presence of TOR.exe, PSEXEC.exe, or the LM Hash dump from Gsecdump were not flagged as alerts inside MDATP EDR.


Also, check out the latest MITRE evaluation of MDATP against the Russian Hacking Group “Fuzzy Bear” aka APT 29 (here).

Conditional Access with Hybrid Domain Join requires browser extension for Chrome

For Chrome to be compatible with Azure AD conditional access security policies that check for Hybrid Domain Join, you must install a Browser extension from (here) *or* deploy a registry key from (here).

This is because Chrome does not pass the Hybrid Domain Join status, as shown below:


IE or Edge



Adding the browser extension or registry keys allows a user to use Chrome to access the SSO via conditional access policy.

Otherwise you will get an error “You can’t get there from here”


Deploying MailItemsAccessed Audit Event in Office 365

MailItemsAccessed is a new audit event in Office 365 that records when email data is accessed by mail protocols and clients.

Why is MailItemsAccessed so important?

During an investigation where a mailbox has been accessed by an unauthorized party, there are often legal requirements (State, Federal and Global Treaties such as GDPR) to notify individuals if their personally identifiable information was accessed. Without MailItemsAccessed we could only say that the attacker had the capability of accessing all mailbox contents, but we couldn’t say which exact emails were accessed. The sync event is still not as definitive as we would like, but it does show that the attacker now has possession of the mailbox contents. If the attacker accessed the mailbox via a web browser, then it’s helpful to know which individual items were accessed.

If a privileged account was compromised, it’s also a good idea to check whether the attacker enabled the Bypass audit log PowerShell command to cover their tracks.

For more details, see Access to crucial events for investigations.

How does MailItemsAccessed compare to MessageBind?

MailItemsAccessed replaces the audit event ‘MessageBind’ which was deprecated in Exchange Online on 1/23/2019. This audit event began rolling out in Q1 2020 after a 12 month pause from the first announcement in January 2019. Tony Redmond has documented the history of this rollout on his blog, with his latest post on March 6, 2020 (here).

MessageBind was only available for the AuditAdmin user logon type and did not record actions performed by the Mailbox Owner or Delegate. MessageBind only covered actions by a mail client and did not record sync activities. MessageBind also generated multiple audit records for the same email message. MailItemsAccessed fixes all these deficiencies.

MailItemsAccessed applies to all logon types (Owner, Admin and Delegate)

MailItemsAccessed applies to both an individual email being read in addition to a ‘sync’ event such as MAPI, POP or IMAP downloading all email in a client.

MailItemsAccessed aggregates multiple events into fewer audit records.


Office E5 or (M365 E3 + “E5 Compliance” add-on)

One question that is often asked is: “If I buy just one license, does this enable the capability for all users.” The answer is no. Only users with the appropriate license will have the MailItemsAccessed logged.


MailItemsAccessed is only enabled by default when the E5 feature “Microsoft 365 Advanced Auditing” license has been applied to the account.


(In PowerShell the auditing license will appear as “M365_ADVANCED_AUDITING”).

To find out how many of your current mailboxes are logging the MailItemsAccessed event run this Exchange Online PowerShell command:

get-mailbox -ResultSize unlimited | where {$_.AuditOwner -like ‘*Accessed*’}

Note: See troubleshooting section if you have the right license and MailItemsAccessed is still not appearing.

Prior to 2/1/2019, Mailbox Owner auditing only logged a single event by default: MailboxLogin. After 2/1/2019, additional events were added unless auditing had been customized. If you customized the mailbox actions to audit for any logon type before mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren’t overwritten by the default mailbox actions that were since added. The exception to this rule seems to be with MailItemsAccessed because it was appended to the E5 mailboxes that had been set to use customized audit events.

To reset auditing to defaults you can run use the DefaultAuditSet parameter, which is generally recommended because according to the documentation “Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the logon type.”

Set-Mailbox -Identity (mailbox identity) –DefaultAuditSet Admin,Delegate,Owner

If you want to find out the mailboxes that have the default auditing enabled, run this command and look for “Admin, Delegate, Owner.” The absence of one of these means that audit customizations was applied to that mailbox.

get-mailbox | select name,DefaultAuditSet


For example, in the screen shot above (1) means that all three roles were customized and (2) means only the Owner was customized because it is absent from the list.

Note: DefaultAuditSet does not audit all possible audit events. It will audit the following seven events (or eight when an E5 license is applied to the mailbox)

1. Update

2. MoveToDeletedItems

3. SoftDelete

4. HardDelete

5. UpdateFolderPermissions

6. UpdateInboxRules

7. UpdateCalendarDelegation

8. MailItemsAccessed (<- THIS IS ONLY ADDED IF AN E5 License is applied to the mailbox)

For a list of the defaults see the documentation (here).

The following three events can be added as additional audit events for the Owner logon type:

1. Create

2. MailboxLogin

3. Move

Therefore, to apply all 11 possible audit events, run this command:

get-mailbox -ResultSize unlimited | set-mailbox -AuditOwner @{Add= “Update”,”MoveToDeletedItems”,”SoftDelete”,”HardDelete”,”UpdateFolderPermissions”,”UpdateInboxRules”,”UpdateCalendarDelegation”,”Create”,”MailboxLogin”,”Move”,”MailItemsAccessed”}

Repeat above command and swap out AuditOwner for AuditDelegate and AuditAdmin but remember to check the table (here) because not all audit events are available for Admin

Note: A user with full mailbox access to another user’s mailbox is logged as AuditDelegate.

Searching Audit Events

You can search for MailItemsAccessed events in Protection.office.com


Compliance.microsoft.com will eventually replace Protection.office.com.


You can also use Exchange Online PowerShell to search for audit events, which is required if you need to search for events older than 90 days. Search-UnifiedAuditLog -Operations MailItemsAccessed or Search-MailboxAuditLog -Operations MailItemsAccessed

Other useful Exchange Online PowerShell commands:

View which events are being logged on a single mailbox (“Joe”)

get-mailbox joe | select -ExpandProperty auditadmin

get-mailbox joe | select -ExpandProperty auditowner

get-mailbox joe | select -ExpandProperty auditdelegate

Report how many accounts have auditing enabled:

get-mailbox | group-object AuditEnabled

Enable auditing on all mailboxes and increase audit log retention from 90 days to 180 days:

get-mailbox -resultsize unlimited | set-mailbox -AuditEnabled $true -AuditLogAgeLimit 180

Audit Log retention is independent of whether or not a retention policy (aka Legal hold) is applied to the mailbox. For example, if a mailbox is under legal hold, the audit events are not retained longer than the duration set by the AuditLogAgeLimit parameter.

If you increase the age beyond 90 days, you can only find those items in PowerShell using Search-MailboxAuditLog.

The following capacity limitations apply to mailbox auditing:

– No more than 3 million audit records are allowed per mailbox

– No more than 30 GB of audit records are allowed per mailbox (100GB if legal hold or retention policy has been applied to the mailbox)

– Tony also states in his blog “Exchange Online applies throttling for MailItemsAccessed events. If a mailbox generates more than 1,000 bind events in a 24-hour period, Exchange Online stops recording MailItemsAccessed events for bind operations for another 24 hours before resuming capture of these events. Microsoft says that less than 1% of mailboxes are subject to throttling.”


Assume you have a mailbox where MailItemsAccessed is not applied, but the mailbox has an E5 license.


You then try to add the audit event but you get an error that its only available for users with the appropriate license.


Double-check to see that you have the “Microsoft 365 Advanced Auditing” license type assigned.


Note: In my case, even though the box was checked, it did not work because this license assignment was inherited from an Azure AD P1 feature called Group-based licensing. So to work-around this bug, I directly assigned the license via PowerShell (since I couldn’t via the GUI since the checkbox was already selected) and that allowed the MailItemsAccessed to be applied.



$myO365Sku1 = New-MsolLicenseOptions -AccountSkuId $MSOLSKU

Set-MsolUserLicense -UserPrincipalName (username) -LicenseOptions $myO365Sku1