Configuring Windows firewall on your workstation fleet is an underrated security improvement - those devices shouldn't be talking to each other on a lot of the same ports often used for lateral movement. I wrote some #KQL to help build firewall rules out without breaking things.
Find devices that have had no inbound SMB in the last 30 days - github.com/reprise99/Sent…
Find devices that have had no inbound HTTP in the last 30 days - github.com/reprise99/Sent…
Find devices that have had no inbound SSH traffic in the last 30 days - github.com/reprise99/Sent…
Everyone's favourite; find devices that have had no inbound RDP traffic in the last 30 days - github.com/reprise99/Sent…
And a query to summarize all the inbound activity on these ports to your devices. You can change these queries to include any ports. The key point is if you use Defender, you can use the telemetry to see the impact of changes before you deploy them - github.com/reprise99/Sent…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
