Merge branch 'main' into docs-editor/microsoft-defender-endpoint-li-1733229630

Author: denisebmsft

ATPDocs/deploy/create-directory-service-account-gmsa.md

@@ -11,8 +11,10 @@ This article describes how to create a [group managed service account (gMSA)](/w
 
 For more information, see [Directory Service Accounts for Microsoft Defender for Identity](../directory-service-accounts.md).
 
->[!TIP]
->In multi-forest, multi-domain environments, we recommend creating the gMSAs with a unique name for each forest or domain. Also, create a universal group in each domain, containing all sensors' computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
+>[!NOTE]
+>In multi-forest, multi-domain environments, the sensors that need to use the gMSA need to have their computer accounts trusted by the domain where the gMSA was created.
+>We recommend creating a universal group in each domain, containing all sensors' computer accounts so that all sensors can retrieve the gMSAs' passwords, and perform the cross-domain authentications.
+>We also recommend creating the gMSAs with a unique name for each forest or domain.
 
 ## Prerequisites: Grant permissions to retrieve the gMSA account's password
 

CloudAppSecurityDocs/api-alerts.md

@@ -53,7 +53,6 @@ The response object defines the following properties.
 | intent               | list   | A field that specifies the kill chain related intent behind the alert. Multiple values can be reported in this field. The **intent** enumeration values follow the [MITRE att@ck enterprise matrix model](https://attack.mitre.org/matrices/enterprise/). Further guidance on the different techniques that make up each intent can be found in MITRE's documentation.<br>  Possible values include:<br/><br>**0**: UNKNOWN<br />**1**: PREATTACK<br />**2**: INITIAL_ACCESS<br />**3**: PERSISTENCE<br />**4**: PRIVILEGE_ESCALATION<br />**5**: DEFENSE_EVASION<br />**6**: CREDENTIAL_ACCESS<br />**7**: DISCOVERY<br />**8**: LATERAL_MOVEMENT<br />**9**: EXECUTION<br />**10**: COLLECTION<br />**11**: EXFILTRATION<br />**12**: COMMAND_AND_CONTROL<br />**13**: IMPACT |
 | isPreview            | bool   | Alerts that have been recently released as GA                |
 | audits *(optional)*  | list   | List of event IDs that are related to the alert              |
-| threatScore          | int    | User investigation priority                                  |
 
 ## Filters
 

CloudAppSecurityDocs/api-entities.md

@@ -37,6 +37,5 @@ The following table describes the supported filters:
 | domain | string | eq, neq, isset, isnotset | The entity's related domain |
 | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |
 | status | string | eq, neq | Filter entities by status. Possible values include:<br /><br />**0**: N/A<br />**1**: Staged<br />**2**: Active<br />**3**: Suspended<br />**4**: Deleted |
-| score | integer | lt, gt, isset, isnotset | Filter entities by their Investigation Priority Score |
 
 [!INCLUDE [Open support ticket](includes/support.md)]

CloudAppSecurityDocs/protect-workplace.md

@@ -2,14 +2,14 @@
 title:       Protect your Workplace environment | Microsoft Defender for Cloud Apps
 description: Learn how about connecting your Workplace app to Defender for Cloud Apps using the API connector.
 ms.topic:    how-to
-ms.date: 12/06/2023
+ms.date: 12/08/2024
 ---
 
 # How Defender for Cloud Apps helps protect your Workplace environment (Preview)
 
 
 
-Workplace by Meta is an online collaboration software tool developed by Meta that facilitates online groupwork, instant messaging, video conferencing, and news sharing in one place. Along with the benefits of effective collaboration in the cloud, your organization's most critical assets may be exposed to threats. Exposed assets include messages, posts, and files with potentially sensitive information, collaboration, partnership details, and more. Preventing exposure of this data requires continuous monitoring to prevent any malicious actors or security-unaware insiders from exfiltrating sensitive information.
+Workplace by Meta is an online collaboration software tool developed by Meta that facilitates online group work, instant messaging, video conferencing, and news sharing in one place. Along with the benefits of effective collaboration in the cloud, your organization's most critical assets may be exposed to threats. Exposed assets include messages, posts, and files with potentially sensitive information, collaboration, partnership details, and more. Preventing exposure of this data requires continuous monitoring to prevent any malicious actors or security-unaware insiders from exfiltrating sensitive information.
 
 Connecting Workplace by Meta to Defender for Cloud Apps gives you improved insights into your users' activities and provides threat detection for anomalous behavior.
 
@@ -96,6 +96,7 @@ This section provides instructions for connecting Microsoft Defender for Cloud A
    > - The first connection can take up to 4 hours to get all users and their activities.
    > - The activities that will show are the activities that were generated from the moment the connector is connected.
    > - After the connector's **Status** is marked as **Connected**, the connector is live and works.
+   > - Before deleting the app in Workplace, make sure to disconnect the connector in the Defender for Cloud Apps portal.
 
 ## Next steps
 

defender-endpoint/TOC.yml

@@ -255,6 +255,8 @@
           items:
           - name: Deploy Defender for Endpoint on Linux
             items:
+            - name: Defender for Endpoint on Linux for ARM64-based devices (preview)
+              href: mde-linux-arm.md
             - name: Puppet based deployment
               href: linux-install-with-puppet.md
             - name: Ansible based deployment

defender-endpoint/amsi-on-mdav.md

@@ -1,38 +1,44 @@
 ---
 title: "Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus"
 description: Describes fileless malware and how Microsoft Defender Antivirus uses AMSI to protect against hidden threats.
-author: YongRhee-MSFT
-ms.author: yongrhee
+author: denisebmsft
+ms.author: deniseb
 manager: deniseb
-ms.date: 02/27/2024
+ms.reviewer: yongrhee
+ms.date: 12/05/2024
 ms.topic: conceptual
 ms.service: defender-endpoint
 ms.subservice: ngp
-ms.custom: QuickDraft
+ms.custom: 
+- QuickDraft
+- partner-contribution
 search.appverid: MET150
 f1.keywords:
-audience:
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier2
 ai-usage: ai-assisted
 ---
 
 # Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus
 
-__Applies to:__
+**Applies to**:
 
 - Microsoft Defender XDR
 - Microsoft Defender Antivirus
 - Microsoft Defender for Endpoint P1 & P2
 - Microsoft Defender for Business
 - Microsoft Defender for Individuals
 
-__Platforms:__
+**Platforms**:
 
 - Windows 10 and newer
 - Windows Server 2016 and newer
 
 Microsoft Defender for Endpoint utilizes the anti-malware Scan Interface (AMSI) to enhance protection against fileless malware, dynamic script-based attacks, and other nontraditional cyber threats. This article describes the benefits of AMSI integration, the types of scripting languages it supports, and how to enable AMSI for improved security.
 
-## What is Fileless malware?
+## What is fileless malware?
 
 Fileless malware plays a critical role in modern cyberattacks, using stealthy techniques to avoid detection. Several major ransomware outbreaks used fileless methods as part of their kill chains.
 
@@ -42,22 +48,26 @@ Because memory is volatile, and fileless malware doesn't place files on disk, es
 
 Attackers use several fileless techniques that can make malware implants stealthy and evasive. These techniques include:
 
-- **Reflective DLL injection** Reflective DLL injection involves the manual loading of malicious DLLs into a process' memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors like macros and scripts. This results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is HackTool:Win32/Mikatz!dha.
+- **Reflective DLL injection**: Reflective DLL injection involves the manual loading of malicious DLLs into a process memory without the need for said DLLs to be on disk. The malicious DLL can be hosted on a remote attacker-controlled machine and delivered through a staged network channel (for example, Transport Layer Security (TLS) protocol), or embedded in obfuscated form inside infection vectors, like macros and scripts. This configuration results in the evasion of the OS mechanism that monitors and keeps track of loading executable modules. An example of malware that uses Reflective DLL injection is `HackTool:Win32/Mikatz!dha`.
 
-- **Memory exploits** Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, which lives entirely in the kernel's memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
+- **Memory exploits**: Adversaries use fileless memory exploits to run arbitrary code remotely on victim machines. For example, the UIWIX threat uses the EternalBlue exploit, which was used by both Petya and WannaCry, to install the DoublePulsar backdoor, and lives entirely in the kernel's memory (SMB Dispatch Table). Unlike Petya and Wannacry, UIWIX doesn't drop any files on disk.
 
-- **Script-based techniques** Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
+- **Script-based techniques**: Scripting languages provide powerful means for delivering memory-only executable payloads. Script files can embed encoded shell codes or binaries that they can decrypt on the fly at run time and execute via .NET objects or directly with APIs without requiring them to be written to disk. The scripts themselves can be hidden in the registry, read from network streams, or run manually in the command-line by an attacker, without ever touching the disk.
 
-> [!NOTE]
-> Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.
+   > [!NOTE]
+   > Do not disable PowerShell as a means to block fileless malware. PowerShell is a powerful and secure management tool and is important for many system and IT functions. Attackers use malicious PowerShell scripts as post-exploitation technique that can only take place after an initial compromise has already occurred. Its misuse is a symptom of an attack that begins with other malicious actions like software exploitation, social engineering, or credential theft. The key is to prevent an attacker from getting into the position where they can misuse PowerShell.
 
-- **WMI persistence** Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
+   > [!TIP]
+   > Reducing the number of unsigned Powershell scripts in your environment helps with increasing your security posture.
+   > Here are instructions on how you could add signing to the Powershell scripts used in your environment
+   > [Hey, Scripting Guy! How Can I Sign Windows PowerShell Scripts with an Enterprise Windows PKI? (Part 2 of 2) | Scripting Blog](https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2/)
 
+- **WMI persistence**: Some attackers use the Windows Management Instrumentation (WMI) repository to store malicious scripts that are then invoked periodically using WMI bindings.
 Microsoft Defender Antivirus blocks most malware using generic, heuristic, and behavior-based detections, as well as local and cloud-based machine learning models. Microsoft Defender Antivirus protects against fileless malware through these capabilities:
 
-- Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
-- Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
-- Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
+   - Detecting script-based techniques by using AMSI, which provides the capability to inspect PowerShell and other script types, even with multiple layers of obfuscation
+   - Detecting and remediating WMI persistence techniques by scanning the WMI repository, both periodically and whenever anomalous behavior is observed
+   - Detecting reflective DLL injection through enhanced memory scanning techniques and behavioral monitoring
 
 ## Why AMSI?
 
@@ -72,15 +82,15 @@ AMSI provides a deeper level of inspection for malicious software that employs o
 - .NET Framework 4.8 or newer (scanning of all assemblies)
 - Windows Management Instrumentation (WMI)
 
-If you use Microsoft Office 365, AMSI also supports JavaScript, VBA, and XLM.
+If you use Microsoft 365 Apps, AMSI also supports JavaScript, VBA, and XLM.
 
 AMSI doesn't currently support Python or Perl.
 
 ### Enabling AMSI
 
-To enable AMSI, you need to enable Script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
+To enable AMSI, you need to enable script scanning. See [Configure scanning options for Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md).
 
-Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender)
+Also see [Defender Policy CSP - Windows Client Management](/windows/client-management/mdm/policy-csp-defender).
 
 ### AMSI resources