my personal blog about systemcenter

Getting Microsoft Defender to work with Google Santa enabled

Categories: Uncategorized
Comments Off on Getting Microsoft Defender to work with Google Santa enabled

Google Santa is an open source project that helps OSX Administrators secure the workstations, its whitelists binaries on either SHA256 or Certificate Level. (Download

Santa Supports local database and remote sync server for configuration, the first post will cover local database, remote sync server will be covered later

For this test we are going to whitelist the certificates used by Microsoft Defender ATP

Mixing Whitelisting and Modern Protections might be overkill but its very good for locking down high profile target

Santa’s default configuration is monitor mode so to enforce the rules we need to change the Santa configuration

Following the example config from the documentation

ClientMode is change from 1 (monitor mode) to 2 (Enforced)

And the testing here is done with local config so we need to remove the SyncBaseURL Key/String to support local modification of the allow/deny list

And we can see that the default configuration is Monitor Mode

Install the config file

And we are in lockdown mode , so any binary will be block unless it matches binary or certificate rules (or is system file)

So let’s start the Microsoft Defender ATP installer

And Santa picks up the different daemons Defender ATP will run and blocks the execution as they are not in the allow list yet , running this in monitor mode would make the install successful without errors on the first run and then looking at log files , I hit ignore for a bunch of times and then go for the log files

Santa Logs are at /var/db/santa/santa.log

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=241fde944258965f8912bfc30b55a60c821642722131e64b1d3dfce2d1913354|cert_sha256=e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=687|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Applications/Microsoft Defender

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=9a01cc98d7e1c5d3f1cde3f6b06b8d1540a0c35f80bf7026e8bf8274b05403cd|cert_sha256=09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=774|ppid=1|uid=501|user=fr-santatest|gid=20|group=staff|mode=L|path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AU AU Daemon

And we can see that there are 2 different certs being used, 1 for the main Defender ATP files and 1 for the Microsoft Update Application

santactl rule –whitelist –sha256 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303 –certificate

Added rule for SHA-256: 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303.

FR-SantaTests-Mac:~ root# santactl rule –whitelist –sha256 e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8 –certificate

Added rule for SHA-256: e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8.

We use santactl to add rules to our whitelist , and after this Microsoft Defender ATP is now fully functional with Santa running as additional protection

Edit : now with correct ATP vs APT , thanks Jan

Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Categories: BeyondCorp, NoVPN, ScaleFT, Security
Comments Off on Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway

ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet

This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources

Signup at , and there is excellent documentation in place and instant trial access

This is my first go at a BeyondCorp install and so far its looks very good

This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements

Overall process

1 , Register Trial

2 , Setup Client

3 , Create Project

4 , Add Server to Project

5 , Add Permission to Project

6 , Use Secure BeyondCorp access to your internal resources

Protocol available Web Applications, Remote Desktop and SSH

And the Step by Step


Logging in to the interface there is no clients for now

Adding a client is as simple as downloading and running

sft enroll –team “tenant name”


ScaleFT does not require local admin rights to function on the machine where access is started form


Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works


And we can now see my pc in the portal


To Enroll a Server we need to create a project



And then we can go to enrollment tokens to create a token for server to enroll


Setup token name and save the token

On the server we can install the scaleFT server side tools with powershell

PS C:\ScaleFT> Import-Module .\Install.psm1

PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken


C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT

Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log

Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

Starting Service scaleft-server-tools




And 2 minutes later we have it installed (on my slow connection)


And we now have a server to access


As we deal with zero trust we need to create a group that gives access


Groups can give either local admin or local user permissions, for this test we will use Admin


Back to my client and run sft list-servers


Getting prompted for access to ScaleFT and allowing access


I can now see my server


And we try to login


And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that


And adding local host to NTLM exceptions


And we can now logon through our tunnel.


And when we are done working we can issue a sft logout


And we have a full audit history


Can you tell if a PC remoted in from a unencrypted machine in your environment ?

So, what does ScaleFT do on our Windows Box to create access and users

After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add


ScaleFT cycles password at each logon so a test from here shows

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/

* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n

And after next logon

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/

* Password : i7GYIDBh%[email protected]

So that looks good

Upgrading Local ATA1.8 to 1.9

Categories: Advanced Threat Analytics, ATA
Comments Off on Upgrading Local ATA1.8 to 1.9


Finally got to the first upgrade from ATA 1.8 to ATA 1.9  , so Windows Update


And first change , no option to retain data only partial data migrated this is afaik new for 1.9


And running


3-4 minutes later and we are upgraded


and portal can see out of data gateways


and from the time to took to drill down first agent was updated

first major change noticed is adding custom groups to monitor for changes , very welcome change

Time to play

´Windows Defender APT , Blocking unwanted applications

Categories: Defender, Device Guard, WDAPT
Comments Off on ´Windows Defender APT , Blocking unwanted applications

One of the features of Windows Defender ATP is to block all non microsoft binaries from running , so if a machine is under attack or suspected compromised one of the steps is locking down the device so rouge applications will stop working and machine can be examined (other step is network isolation will test that in 2nd post)

First test is enable restrictions on a device without any prior policy then try on one with existing polisy signed and unsighed

Result of the post to avoid reading Smile device still works due to MS signed drivers on a Lenovo Laptop X1 Yofga


In the Windows Defender Security Center , there is a option to run restrict app execution , the concern before testing how would a non Microsoft hardware device do , so i took a Lenovo added Windows 10 and Lenovo System Update


Go Go


a few seconds later the device is restricted


and since i didnt have a evil exe i tested with Chrome and it was blocked as designed


and after a test reboot we can see that a bit more was blocked

C:\program files (x86)\google\chrome\application\chrome.exe
C:\program files (x86)\google\update\googleupdate.exe
C:\program files (x86)\lenovo\system update\tvsushim.exe
C:\program files\conexant\caudiofilteragent\sacpl.exe
C:\program files\dolby\dolby dax2\dax2_api\dolbydax2api.exe
C:\program files\dpr\dpr.exe

but in reality nothing important , all drivers was MS signed so device still functioning Smile


and all blocked easily traced in the defender security center portl


and reverse is just as easy , Skype Updater Escalation Prevent through GPO

Categories: Uncategorized
Comments Off on , Skype Updater Escalation Prevent through GPO

There was published a issue with the skype installer

This can elevate normal users on a pc to system on older OS that don’t use Windows 10 Apps

On windows 10 you can install version 8 only if you set the installer to Windows 7 or 8 , when testing that the update service was not installed

On the 7.x branch the update service was added on my test pc , but wasn’t visible on the 8 branch

Its recommended to stay on the newest version and use Windows 10 Apps when possible

For the workaround (that will break automatic updates but preserve security)


Create a new Group Policy


Go to Windows Settings , Security Settings , System Settings

Select the Skype Update Service and select disabled


Verify its set to disabled


Set the gpo filter for testing


Link the gpo (testing to root acceptable)


Run a gpupdate /force or wait a bit , after that the settings is set to disabled and cant be modified