Discover and read the best of Twitter Threads about #MicrosoftDefender
Most recents (2)
Ever wondered what happens when #MicrosoftDefender quarantines a PUP, but then you go in the notification, and select to "Allow" the application in the future? Well, a Registry value with the name of ThreatId (detected threat) is set in the Registry with a Data of 6 for Ignore. 
It seems that this Regkey is regularly cleaned however, since the application gets flagged every few days and I need to restart the process.
Registry key for copy/paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
Registry key for copy/paste:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
I don't know if it works in a similar fashion for actual threats (non-PUA/PUP), but if I ever get in that situation (oops... downloading malicious samples in P R O D), I'll be sure to test it out and update this tweet.
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
