Defending Microsoft Environments at Scale

Presented at TROOPERS18 (2018), March 15, 2018, 2:30 p.m. (Unknown duration)

Defending a Microsoft Environment at scale looks at the innovations made in Windows 10 and the capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. The talk is based on a direct mapping of the MITRE ATTACK framework to the defense classes within the Microsoft offering.

This talk focuses on leveraging capabilities of a Microsoft stack to launch a capable defense against most vulnerability classes. It starts out by describing the MITRE ATTACK framework and how it has been used by us internally to build a defense model. We then expand to talk about specific capabilities of the Windows subsystem to detect and respond to the following: Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration and Command and Control (C2).

As we continue, we describe a working defense model that extrapolates the telemetry from these indicators across Microsoft Windows to an enterprise view that reduces noise and improves signal. In order to do this, we explain how WEF works, a sample Sysmon deployment guide and how to collect rich event meta-data from all Windows Event Log sources to build correlation. This goes beyond traditional SIEM implementations and talks about specific use cases that address the MITRE ATTACK framework.

During the second half of the talk, we explain how to scale this to geographically dispersed machines and build correlation and response when physical / remote access might not be available. A high-level overview of the native Windows Defender engine is provided and how the expanded Windows Defender ATP product allows us to perform frequency analysis, look at process trees and generally identify malicious behavior on the endpoint.

In closing, we round up some of the capabilities of the Azure and Office365 cloud to talk about credential sync and cloud app security engines. This explains the protections offered to the end user and their access to any data source. The expectation is to address normal vs. abnormal user behavior and proactively identify users with weak credentials.


  • Vineet Bhatia
    Vineet Bhatia (@ThreatHunting) runs cybersecurity operations. His work focuses on digital forensics, threat hunting and aviation cybersecurity.


Similar Presentations: