

Improving defenses by mapping tools to attack chains
Let’s look at a diagram that the Microsoft 365 Defender Intelligence Team put together in late April 2020. This graphic does a good job of providing a high level overview of what researchers consider to be hallmark post-compromise activities — credential theft, lateral movement, and persistence — bookended by the parts many non-security experts focus on most — initial access and payload execution.
- RD Gateway
- Attack Surface Reduction (ASR) Rules
- Windows Firewall
- PowerShell
- Autoruns

Tool #1: RD Gateway
Tactic mitigated:- Initial access: RDP brute force
Tool #2: Attack Surface Reduction (ASR) rules
Tactics mitigated:- Initial access: Weak application settings (Microsoft Office, Adobe, email client)
- Credential theft: Stealing credentials from lsass.exe
- Lateral movement: WMI and PsExec abuse
- Persistence: WMI event subscription abuse
- Payload retrieval / execution: Malicious scripts, ransomware
- Windows 10, versions 1709 and later
- Microsoft Defender must be active (not in passive mode)
- Some rules require cloud-delivered protection to be enabled
- Block Office applications from creating executable content (Block Mode recommended*)
- Note: May interfere with Microsoft Office Smart Lookup feature.
- Block Win32 API calls from Office macros (Audit Mode suggested first*)
- Block Office applications from injecting code into other processes (Audit Mode suggested first*)
- Block all Office applications from creating child processes (Audit Mode suggested first*)
- Block Adobe Reader from creating child processes (Block Mode recommended*)
- Note: Will interfere with Adobe update process unless that is managed by a central software patching service.
- Block executable content from email client and webmail (Block Mode recommended*)
- Block untrusted and unsigned processes that run from USB (Block Mode recommended*)
- Block JavaScript or VBScript from launching downloaded executable content (Block Mode recommended*)
- Block execution of potentially obfuscated scripts (Block Mode recommended with exception of developer machines*)
- Block credential stealing from lsass.exe (Block Mode recommended*)
- Block process creations originating from PsExec and WMI commands (Not compatible if using SCCM*)
- Block persistence through WMI event subscription (Block Mode recommended*)
Tool #3: Windows Firewall
Tactics mitigated:- Lateral movement: SMB-based
- Payload retrieval / execution: LOLbins making outbound connections
Tool #4: PowerShell
Tactics monitored:- Initial access: Exposed RDP and vulnerable Internet-facing systems
- Lateral movement: PsExec abuse
- Persistence: New accounts, scheduled tasks, WMI event subscription
- Conduct external port scans (100% you don’t have a server somewhere out there with RDP exposed? Check again.)
- Alert on Shodan results (does require paid Shodan account)
- Create alerts based on PsExec usage (PsExec is another legitimate administrative tool that attackers use for remote command execution)
- Monitor new account creation (created domain and local users, users added to privileged groups, etc.)
- Monitor for scheduled task creation
- Create and monitor canary files
Tool #5: Autoruns
Tactics monitored:- Persistence: Registry entries