my personal blog about systemcenter

Upgrading Local ATA1.8 to 1.9

Categories: Advanced Threat Analytics, ATA
Comments Off on Upgrading Local ATA1.8 to 1.9


Finally got to the first upgrade from ATA 1.8 to ATA 1.9  , so Windows Update


And first change , no option to retain data only partial data migrated this is afaik new for 1.9


And running


3-4 minutes later and we are upgraded


and portal can see out of data gateways


and from the time to took to drill down first agent was updated

first major change noticed is adding custom groups to monitor for changes , very welcome change

Time to play

´Windows Defender APT , Blocking unwanted applications

Categories: Defender, Device Guard, WDAPT
Comments Off on ´Windows Defender APT , Blocking unwanted applications

One of the features of Windows Defender ATP is to block all non microsoft binaries from running , so if a machine is under attack or suspected compromised one of the steps is locking down the device so rouge applications will stop working and machine can be examined (other step is network isolation will test that in 2nd post)

First test is enable restrictions on a device without any prior policy then try on one with existing polisy signed and unsighed

Result of the post to avoid reading Smile device still works due to MS signed drivers on a Lenovo Laptop X1 Yofga


In the Windows Defender Security Center , there is a option to run restrict app execution , the concern before testing how would a non Microsoft hardware device do , so i took a Lenovo added Windows 10 and Lenovo System Update


Go Go


a few seconds later the device is restricted


and since i didnt have a evil exe i tested with Chrome and it was blocked as designed


and after a test reboot we can see that a bit more was blocked

C:\program files (x86)\google\chrome\application\chrome.exe
C:\program files (x86)\google\update\googleupdate.exe
C:\program files (x86)\lenovo\system update\tvsushim.exe
C:\program files\conexant\caudiofilteragent\sacpl.exe
C:\program files\dolby\dolby dax2\dax2_api\dolbydax2api.exe
C:\program files\dpr\dpr.exe

but in reality nothing important , all drivers was MS signed so device still functioning Smile


and all blocked easily traced in the defender security center portl


and reverse is just as easy , Skype Updater Escalation Prevent through GPO

Categories: Uncategorized
Comments Off on , Skype Updater Escalation Prevent through GPO

There was published a issue with the skype installer

This can elevate normal users on a pc to system on older OS that don’t use Windows 10 Apps

On windows 10 you can install version 8 only if you set the installer to Windows 7 or 8 , when testing that the update service was not installed

On the 7.x branch the update service was added on my test pc , but wasn’t visible on the 8 branch

Its recommended to stay on the newest version and use Windows 10 Apps when possible

For the workaround (that will break automatic updates but preserve security)


Create a new Group Policy


Go to Windows Settings , Security Settings , System Settings

Select the Skype Update Service and select disabled


Verify its set to disabled


Set the gpo filter for testing


Link the gpo (testing to root acceptable)


Run a gpupdate /force or wait a bit , after that the settings is set to disabled and cant be modified

Adding OpenLiveWriter to a DeviceGuard Protected Machine

Categories: Device Guard, Security
Comments Off on Adding OpenLiveWriter to a DeviceGuard Protected Machine

I wanted to add OpenLiveWriter to my pc but since its protected by device guard it required a few additional steps

Following Matt Graeber (@mattifestation guide to merging policies i ended up with the folowing

PS C:\Windows\system32> $OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ –UserPEsimage

Scanning the install directory

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level PUBLISHER -UserPEs


“Unable to generate rules for all scanned files at the requested level.  A list of files not covered by the current policy can be found at C:\
Users\Flemming Riis\AppData\Local\Temp\tmpD089tmp.  If it is safe to not include these files, no action needs to be taken, otherwise a more c
omplete policy may be created using the -fallback switch”


First run was with publisher , but the majority of the files isn’t signed so i changed the policy to HASH , this laves a issue with autoupdate so the icon was changed to openlivewriter.exe instead of the update.exe



We now end up with a rather large list of allowed files

And putting it all together

$MasterRuleXml = ‘BASE.xml’ (this was my T460s baseline)

$OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ -UserPEs

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level HASH -UserPEs

$OpenLiveWriterRules = New-CIPolicyRule -DriverFiles $OpenLiveWriter -Level HASH

Merge-CIPolicy -OutputFilePath FinalPolicy.xml -PolicyPaths $MasterRuleXml -Rules $OpenLiveWriterRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy.xml -BinaryFilePath SIPolicy.p7b

And after a reboot i can now run openlivewriter on my device guard protected pc Smile

Count your Domain Controllers Often and Always

Categories: Active Directory, AD, Advanced Threat Analytics, ATA, Security
Comments Off on Count your Domain Controllers Often and Always

Had a talk the other day with a friend around domain controllers , we talked about how fast many orgs would actually detect a new domain controller , and if they did how fast

As this is a normal operation its not flagged by ATA , but it would be a very nice feature to add ( as far as i can see , this is a new install so no 30 days ML with admin behavior) , ATA should detect a admin logging on to a new server but need to test on a aged system

There is most likely a lot of eventlog hints of new domain controllers added need to examine for them also


Adding a new domain controller


We can see the new object as domain controller


Adding Domain Controllers Group to Sensitive Groups could h


So we could get a report like this if a DC was added could be a very good feature


Or list domain controllers not monitored by ATA

Detecting Domain Controllers being added

One method could be to use @LazyWinAdm


.\Monitor-ADGroupMembership.ps1 -group “Domain Controllers” -Emailfrom [email protected] -Emailto “[email protected]” -EmailServer –Verbose

on a rapid schedule



First run find the now 2 domain controllers


And we will now get a email alart when a new domain controller is added or removed