So, I recently spent some time playing with the Windows Defender Security Center, for looking at security incidents which I generate on a Windows 10 laptop. The idea was to just see what it offers me, as far as how it protects and notifies me of any security issues. To begin with, you have sign-up to add it to your Office 365 tenant, and then register the device you are using. From the Windows Defender ATP portal, go to “Endpoint onboarding” section in the left navigation pane, then select “Local script (for up to 10 machines)“, and click the “Download Package” button. Extract “WindowsDefenderATPOnboardingScript.cmd” (or “WindowsDefenderATPLocalOnboardingScript.cmd” – if you are running preview) from the downloaded archive, and run it in an elevated command prompt (“run as administrator“) in the machine you prepared. Once this is completed, you may have to wait a few minutes for it register within the Windows Defender ATP portal. It will however then be listed in the console.
Now that we have a machine registered, you can test how it works by opening a PowerShell command Windows and running the following command:
“powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\\test-WDATP-test\\invoice.exe’);Start-Process ‘C:\\test-WDATP-test\\invoice.exe’”
This will run and then close the PowerShell windows you have open. Waiting a few minutes, will allow that event to be registered within the portal and then it should be listed as an alert.
What is clever here is that clicking on the actual alert, will then drill down into the process level details of what took place.
You can then click on each process and see further details about that specific process and some historical data. Alerts can be generated by other actions too, for my examples I used specific PowerShell commands to try and load other components or just call something that your end users shouldn’t be.
For example, I ran a command that spawned a PowerShell Windows and a Command Window. This captured along with the command details.
The system logs entries using a couple of components, from within Windows 10, as well as the components that were connected when the onboarding script was run. This means that whether something is trying to attack the workstation on the machine or someone is running a process directly on the machine it would get picked up and captured. Within the dashboard, there is also the ability to use a timeline that will let you see when an event or attack took place along with the details.
Clicking on the “Suspicious shell command sequence” entry breaks this open and gives you a deeper understanding of what happened.
This is very powerful, as it gives you a “play-by-play” rundown of what happened within the operating system. This is a great tool, that can simply be added to your environment, and then used in conjunction with other tools from the Microsoft Cloud to protect from every level.
Microsoft has provided some great documentation to learn more: