Attack Surface Reduction (ASR) rules have expanded to include a full range of zero-day protections. If you aren't using them today or haven't tried to use them recently, then it's time to look again. If you aren't locking down Windows natively then you're missing out on critical security features.
The real purpose of Troubleshooting Mode, then is for you to document changes that you need to make to the organizational policy for Defender for the affect machines.
Students in the Defender XDR course were advised not to alter threat actions in their anti-virus policy, leaving them as Not configured. This allows Defender to use its default behaviors, local device settings, signature-defined actions, and automatic remediation. Relying on Microsoft's security expertise ensures optimal threat management.
You will have now prevented misleadingly named apps, potentially malicious apps, apps with misleading publisher names, apps performing unusual amounts of file downloads, the addition of credentials to OAuth, and apps with a strange ISP for an OAuth.
Despite criminal masterminds and "security researchers" always coming up with the next greatest tool for causing financial damage to our businesses and economy, there are patterns.
Defense implies a reactionary approach. Prevention set the scene where ransomware can't get you in the first place.
It's one of the least known and used portal in the entire Microsoft 365 suite. Too bad, because it contains some configuration and automation gems. Let's see how we use it to automate Office updates.
Fortunately, Defender protects against this when configured correctly. In addition to the Defender for Endpoint sensor installation, Attack Surface Reduction rules and certain anti-virus configurations should also be deployed
Once these two items have been set the ability of PlugX to take advantage of innocent people should be thwarted.
All it took was an email attachment policy, a little hardening of Microsoft Office and the configuration of the built-in anti-virus software
It's an Attack Surface Reduction rule and it is exploited in the wild, so it's import to close up this vulnerability to fileless attacks.
Where should you configure ASR rules? I had this question, so I asked a contact in Endpoint Management at Microsoft.
