The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Microsoft  > Carbanak+FIN7 Configuration


Microsoft Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

"Microsoft 365 Defender" suite with the following integration:

Protection scope Product/Server Configuration
Microsoft 365 Defender Unified enterprise defense suite across Microsoft Defender capabilities Enabled
Windows endpoint Microsoft defender for Endpoint (MDE), Windows 10 1909 (Build 18363) Enabled
Windows server Microsoft defender for Endpoint (MDE), Windows Server 2019 1809 (Build 17763) Enabled
Linux Server Microsoft defender for Endpoint (MDE), Cent OS 7 Enabled
Identity Microsoft defender for identity (MDI) sensor version 2.132.9188 Enabled
Cloud applications Microsoft cloud app security (MCAS) Enabled
Email protection Microsoft Defender for Office (MDO) Not Enabled
Managed detection and response Microsoft Threat Experts (MTE) Not Enabled

Product Description

Microsoft 365 Defender is a unified pre and post breach enterprise defense suite that natively integrates endpoint, identity and email products to stop sophisticated attacks. Microsoft 365 Defender combines the signals of Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office (Email and collaboration) and Microsoft Cloud App security (Applications) to accurately detect and automatically respond to threats with behavioral analytics and reveals the root cause to speed up investigations. Tight integration across the products augmented with new cross product logic, unique to Microsoft 365 Defender ensures attacks can be quickly detected, that affected assets are automatically remediated and that security operations teams are empowered to investigate and take remediation actions in time, before the damage is done.

Microsoft 365 Defender defines a new category for enterprise-wide protection, detection and response solutions that runs a fully integrated single defensive stack across endpoint, identity, email and cloud data to:

  • Protect at the source and coordinate the defense stack by sharing signals and actions
  • Narrate the story of the attack across product alerts, behaviors and context with Incidents
  • Automate response to compromise by self-healing assets through automated Remediation
  • Enable effective threat hunting across the endpoint, Office and identity

Microsoft Defender for Endpoint for non-Windows platforms

Microsoft has been on a journey to extend its industry leading endpoint security capabilities beyond Windows and Windows Server to macOS, Linux, Android, and soon iOS.

Organizations face threats across a variety of platforms and devices. Our teams have committed to building security solutions not just for Microsoft, but also from Microsoft to enable our customers to protect and secure their heterogenous environments. We're listening to customer feedback and partnering closely with our customers to build solutions that meet their needs.

With Microsoft Defender for Endpoint, customers benefit from a unified view of all threats and alerts in the Microsoft Defender Security Center, across Windows and non-Windows platforms, enabling them to get a full picture of what's happening in their environment, which empowers them to more quickly assess and respond to threats.

For more details on how to get started, visit the Microsoft Defender for Endpoint on Linux documentation.

Product Configuration

Detect

Additional OS and individual product configurations

Component Reason Configuration
MDE next-generation protection configured in audit mode to allow Redteam
binaries/tools to execute (without blocking)
Audit-only (no block)
MDE attack surface reduction configured in audit mode to allow Redteam
binaries/tools to execute (without blocking)
Audit-only (no block)
MDE exploit protection Disabled upon request Disabled
Microsoft Defender Credential guard Disabled upon request Disabled
Microsoft Defender Application guard Disabled upon request Disabled
Application control Disabled upon request Disabled
MDE automated investigation and response Configured in semi-automated mode with approval (to avoid remediation of Redteam tools) Enabled in Semi-automated mode
MDE EDR block Disabled to allow Redteam
binaries/tools to execute (without blocking)
Disabled
Tamper protection protect blocking capabilities from being disabled Enabled
Network protection configured in audit mode to allow Redteam
binaries/tools to execute (without blocking)
Audit-only (no block)

Protect

Additional OS and individual product configurations

Component Reason Configuration
MDE next-generation protection Microsoft Defender for endpoint protection service enabled to protect from Redteam activity Enabled
MDE attack surface reduction Attack surface reduction rules target and block certain software behaviors Enabled
MDE exploit protection Exploit protection helps protect against malware that uses exploits to infect devices and spread Enabled
Microsoft Defender Credential guard Disabled upon request Disabled
Microsoft Defender Application guard Disabled upon request Disabled
Application control Disabled upon request Disabled
MDE automated investigation and response Configured to immediately investigate threats and run self-healing on the compromised entity, preventing and blocking the attach Enabled
MDE EDR Enabled
Tamper protection protect blocking capabilities from being disabled Enabled
Network protection Enabled