my personal blog about systemcenter

All posts tagged Microsoft Defender

Getting Microsoft Defender to work with Google Santa enabled

Categories: Uncategorized
Comments Off on Getting Microsoft Defender to work with Google Santa enabled

Google Santa is an open source project that helps OSX Administrators secure the workstations, its whitelists binaries on either SHA256 or Certificate Level. (Download https://github.com/google/santa)

Santa Supports local database and remote sync server for configuration, the first post will cover local database, remote sync server will be covered later

For this test we are going to whitelist the certificates used by Microsoft Defender ATP

Mixing Whitelisting and Modern Protections might be overkill but its very good for locking down high profile target

Santa’s default configuration is monitor mode so to enforce the rules we need to change the Santa configuration

Following the example config from the documentation https://santa.readthedocs.io/en/latest/deployment/configuration/

ClientMode is change from 1 (monitor mode) to 2 (Enforced)

And the testing here is done with local config so we need to remove the SyncBaseURL Key/String to support local modification of the allow/deny list

And we can see that the default configuration is Monitor Mode

Install the config file

And we are in lockdown mode , so any binary will be block unless it matches binary or certificate rules (or is system file)

So let’s start the Microsoft Defender ATP installer

And Santa picks up the different daemons Defender ATP will run and blocks the execution as they are not in the allow list yet , running this in monitor mode would make the install successful without errors on the first run and then looking at log files , I hit ignore for a bunch of times and then go for the log files

Santa Logs are at /var/db/santa/santa.log

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=241fde944258965f8912bfc30b55a60c821642722131e64b1d3dfce2d1913354|cert_sha256=e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=687|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=L|path=/Applications/Microsoft Defender ATP.app/Contents/Resources/wdavdaemon.app/Contents/MacOS/wdavdaemon

action=EXEC|decision=DENY|reason=UNKNOWN|sha256=9a01cc98d7e1c5d3f1cde3f6b06b8d1540a0c35f80bf7026e8bf8274b05403cd|cert_sha256=09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303|cert_cn=Developer ID Application: Microsoft Corporation (UBF8T346G9)|pid=774|ppid=1|uid=501|user=fr-santatest|gid=20|group=staff|mode=L|path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon

And we can see that there are 2 different certs being used, 1 for the main Defender ATP files and 1 for the Microsoft Update Application

santactl rule –whitelist –sha256 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303 –certificate

Added rule for SHA-256: 09d93952b7b31903e1d9b85d5c8b48bbb86ad9830757ee5e75cd114fbb7e7303.

FR-SantaTests-Mac:~ root# santactl rule –whitelist –sha256 e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8 –certificate

Added rule for SHA-256: e552705f4fa93f4b571e2804a107ce74a49f45e26729d192665d59a5cd3934a8.

We use santactl to add rules to our whitelist , and after this Microsoft Defender ATP is now fully functional with Santa running as additional protection

Edit : now with correct ATP vs APT , thanks Jan