Merge pull request #2113 from MicrosoftDocs/main

Publish main to live, 12/05/24, 3:30 PM PT

Author: Ruchika-mittal01

ATPDocs/media/prevent-certificate-enrollment-esc15/image.png

@@ -0,0 +1,50 @@
+---
+# Required metadata
+# For more information, see https://review.learn.microsoft.com/en-us/help/platform/learn-editor-add-metadata?branch=main
+# For valid values of ms.service, ms.prod, and ms.topic, see https://review.learn.microsoft.com/en-us/help/platform/metadata-taxonomies?branch=main
+
+title: 'Security Assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)'
+description: 'This recommendation directly addresses the recently published CVE-2024-49019, which highlights security risks associated with vulnerable AD CS configurations. '
+author:      LiorShapiraa # GitHub alias
+ms.author: liorshapira
+ms.service: microsoft-defender-for-identity
+ms.topic: article
+ms.date:     12/04/2024
+---
+
+# Security assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+
+This article describes Microsoft Defender for Identity's Prevent Certificate Enrollment with arbitrary Application Policies (ESC15) security posture assessment report.
+
+## Why is it important to review the Certificate templates?
+
+This recommendation directly addresses the recently published [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019)__,__ which highlights security risks associated with vulnerable AD CS configurations. This security posture assessment lists all vulnerable certificate templates found in customer environments due to unpatched AD CS servers.
+
+Certificate templates that are vulnerable to [CVE-2024-49019](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49019) allow an attacker to issue a certificate with arbitrary Application Policies and Subject Alternative Name. The certificate can be used to escalate privileges, possibly resulting with full domain compromise. 
+
+These certificate templates expose organizations to significant risks, as they enable attackers to issue certificates with arbitrary Application Policies and Subject Alternative Names (SANs). Such certificates can be exploited to escalate privileges and potentially compromise the entire domain. In particular, these vulnerabilities allow non-privileged users to issue certificates that can authenticate as high-privileged accounts, posing a severe security threat.
+
+## Prerequisites
+
+This assessment is available only to customers who installed a sensor on an AD CS server. For more information, see [New sensor type for Active Directory Certificate Services (AD CS)](/defender-for-identity/whats-new).
+
+## **How do I use this security assessment to improve my organizational security posture?**
+
+1. Review the recommended action at [Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)](https://security.microsoft.com/securescore?viewid=actions).  
+
+2. **Identify the vulnerable certificate templates:**  
+   - Remove enrollment permission for unprivileged users.  
+   - Disable the **“Supply in the request”** option.
+
+3. Identify the AD CS servers which are vulnerable to CVE-2024-49019 and apply the relevant patch. 
+
+   For example:  
+
+   :::image type="content" source="media/prevent-certificate-enrollment-esc15/image.png" alt-text="Screenshot of servers." lightbox="media/prevent-certificate-enrollment-esc15/image.png":::
+
+## Next steps
+
+- [Learn more about Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score)
+
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/media/prevent-certificate-enrollment-esc15/image1.png

@@ -216,6 +216,8 @@ items:
       href: security-assessment-edit-misconfigured-enrollment-agent.md
     - name: Overly permissive certificate template with privileged EKU (ESC2)
       href: security-assessment-edit-overly-permissive-template.md
+    - name: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15)
+      href: prevent-certificate-enrollment-esc15.md
     - name: Prevent requests for certificates valid for arbitrary users  (ESC1)
       href: security-assessment-prevent-users-request-certificate.md
     - name: Remove local admins on identity assets

ATPDocs/prevent-certificate-enrollment-esc15.md

@@ -1,38 +1,44 @@
 ---
 title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
 description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
-ms.date: 02/27/2024
+ms.reviewer: yongrhee
+ms.date: 12/05/2024
 ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
-ms.custom: QuickDraft
+ms.custom: 
+- QuickDraft
+- partner-contribution
 search.appverid: MET150
 f1.keywords:
-audience:
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier2
 ai-usage: ai-assisted
 ---
 
 # Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
 
-__Applies to:__
+**Applies to**:
 
 - Microsoft Defender XDR
 - Microsoft Defender Antivirus
 - Microsoft Defender for Endpoint P1 & P2
 - Microsoft Defender for Business
 - Microsoft Defender for Individuals
 
-__Platforms:__
+**Platforms**:
 
 - Windows 10 and newer
 - Windows Server 2016 and newer
 
 Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.
 
-## What is Fileless malware?
+## What is fileless malware?
 
 Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains.
 
@@ -42,22 +48,26 @@ Because memory is volatile, and fileless malware doesn't place files on disk, es
 
 Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
 
-- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a process' memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
+- **Reflective DLL injection**: Reflective DLL injection involves the manual loading of malicious DLLs into a process memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors, like macros and scripts. This configuration results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is `HackTool:Win32/Mikatz!dha`.
 
-- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernel's memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
+- **Memory exploits**: Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, and lives entirely in the kernel's memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
 
-- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
+- **Script-based techniques**: Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
 
-> [!NOTE]
-> Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.
+   > [!NOTE]
+   > Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.
 
-- **WMI persistence** Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
+   > [!TIP]
+   > Reducing the number of unsigned Powershell scripts in your environment helps with increasing your security posture.
+   > Here are instructions on how you could add signing to the Powershell scripts used in your environment
+   > [Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? (Part 2 of 2) | Scripting Blog](https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/)
 
+- **WMI persistence**: Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
 Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:
 
-- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
-- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
-- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
+   - Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
+   - Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
+   - Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
 
 ## Why AMSI?
 
@@ -72,15 +82,15 @@ AMSI provides a deeper level of inspection for malicious software that employs o
 - .NET Framework 4.8 or newer (scanning of all assemblies)
 - Windows Management Instrumentation (WMI)
 
-If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
+If you use Microsoft 365 Apps, AMSI also supports JavaScript, VBA, and XLM.
 
 AMSI doesn't currently support Python or Perl.
 
 ### Enabling AMSI
 
-To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+To enable AMSI, you need to enable script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md).
 
-Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)
+Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender).
 
 ### AMSI resources
 

ATPDocs/toc.yml

@@ -7,13 +7,16 @@ manager: deniseb
 ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 09/18/2024
+ms.date: 12/05/2024
 ms.subservice: ngp
+ms.collection: 
+- m365-security
+- tier2
+audience: ITPro
 ms.localizationpriority: medium
 ms.custom: partner-contribution
 search.appverid: MET150
 f1 keywords: NOCSH
-audience: ITPro
 ---
 
 # Hardware acceleration and Microsoft Defender Antivirus
@@ -40,16 +43,16 @@ This table shows the Intel TDT technologies Microsoft collaborated with Intel on
 
 |Available since |Intel TDT technology | Intel Threat Detection Technology (TDT) available on|
 |:---|:---|:---|
-|2018|Intel TDT – Accelerated Memory Scanning (AMS)|Intel integrated graphic 6th Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|
-|2021|Intel TDT - Cryptojacking detector| Intel 6th Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|
-|2022|Intel TDT - Ransomware detector| Intel 8th Gen Core or newer family of processors.|
+|2018|Intel TDT – Accelerated Memory Scanning (AMS)|Intel integrated graphic sixth Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|
+|2021|Intel TDT - Cryptojacking detector| Intel sixth Gen Core (circa 2015) or newer family of processors, running on laptops, tablets, and desktop systems.|
+|2022|Intel TDT - Ransomware detector| Intel eighth Gen Core or newer family of processors.|
 
 **Intel Threat Detection Technology (TDT) - Accelerated Memory Scanning (AMS):** Introduced extra memory scanning capabilities to detect fileless attacks that are expensive on the Central Processing Unit (CPU), and then offload them to the integrated Graphics Processor Unit (integrated GPU). Two benefits are:
 
 - lower CPU consumption
 - A reduction of System-on-a-chip (SoC) power consumption leading to longer battery life on laptops and tablets
 
-**Intel Threat Detection Technology (TDT) - Cryptojacking:** Enhanced detection by leveraging Intel's Central Processing Unit (CPU) performance monitoring unit (PMU) and offloading to the integrated Graphics Processor Unit (integrated GPU) to detect the malware code execution (fingerprint) of repeated mathematical operations at runtime. The signals are processed by a layer of machine learning with minimal overhead.
+**Intel Threat Detection Technology (TDT) - Cryptojacking:** Enhanced detection by using Intel's Central Processing Unit (CPU) performance monitoring unit (PMU) and offloading to the integrated Graphics Processor Unit (integrated GPU) to detect the malware code execution (fingerprint) of repeated mathematical operations at runtime. Machine learning processes signals with minimal overhead.
 
 ### How do you enable Intel TDT AMS or Cryptojacking integration?
 
@@ -61,7 +64,7 @@ The regular Microsoft Defender Antivirus Event ID **1116**.
 
 ### What type of attacks does it help with?
 
-- We use the Intel TDT - Cryptojacking detector to thwart various cryptojacking mallards. The following Coinminer campaigns were successfully detected and blocked using the TDT Cryptojacking detector: [YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, LaPlasa Clipper, XMRig Miner](https://www.fortinet.com/blog/threat-research/youtube-pirated-software-videos-deliver-triple-threat-vidar-stealer-laplas-clipper-xmrig-miner)
+- We use the Intel TDT - Cryptojacking detector to thwart various cryptojacking malware. The following Coinminer campaigns were successfully detected and blocked using the TDT Cryptojacking detector: [YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, LaPlasa Clipper, XMRig Miner](https://www.fortinet.com/blog/threat-research/youtube-pirated-software-videos-deliver-triple-threat-vidar-stealer-laplas-clipper-xmrig-miner)
 
 - We use the Intel TDT detector to identify instances of CryptoJacking malware abusing Windows binaries (lolbins), and then employ Defender behavior monitoring to prevent and block such activities effectively. For more information, see [Hardware-based threat defense against increasingly complex cryptojackers](https://www.microsoft.com/security/blog/2022/08/18/hardware-based-threat-defense-against-increasingly-complex-cryptojackers/).
 

defender-endpoint/amsi-on-mdav.md

@@ -13,7 +13,7 @@ ms.collection:
   - Tier1
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 01/18/2024
+ms.date: 12/05/2024
 ---
 
 # Block vulnerable applications
@@ -80,8 +80,10 @@ For both actions, you can customize the message the users see. For example, you
 
 8. Review the selections you made and **Submit request**. On the final page, you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.
 
-> [!IMPORTANT]
-> Based on the available data, the block action will take effect on endpoints in the organization that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint will make a best attempt effort of blocking the applicable vulnerable application or version from running.
+> [!NOTE]
+> Beginning December 3, 2024, expect to see a reduction in the number of file indicators that are created by new application block policies. To reduce your current indicator usage, unblock any blocked applications, and create new block policies. 
+> 
+> Based on the available data, the block actions take effect on endpoints that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint makes a best-attempt effort of blocking applicable vulnerable applications or versions from running.
 
 If additional vulnerabilities are found on a different version of an application, you get a new security recommendation, asking you to update the application, and you can choose to also block this different version.