Discover and read the best of Twitter Threads about #MicrosoftDefender

Most recents (2)

Ever wondered what happens when #MicrosoftDefender quarantines a PUP, but then you go in the notification, and select to "Allow" the application in the future? Well, a Registry value with the name of ThreatId (detected threat) is set in the Registry with a Data of 6 for Ignore.
It seems that this Regkey is regularly cleaned however, since the application gets flagged every few days and I need to restart the process.

Registry key for copy/paste:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction
I don't know if it works in a similar fashion for actual threats (non-PUA/PUP), but if I ever get in that situation (oops... downloading malicious samples in P R O D), I'll be sure to test it out and update this tweet.
Read 4 tweets
How to detect software supply chain attacks with #Sysmon, #MicrosoftDefender, or any other #EDR:
1. You use specific software in your environment.
2. The software is usually installed on a few servers that have privileges across the environment.
3. You probably have a naming convention for your servers. Also, servers have defined IP subnets.
4. Your EDR or Sysmon has "Company" information in the process event or process network logs.
Combining all together:
Without even knowing what kind of software is used in the environment, you can analyze your process event logs to see if your servers have a 3rd party software installed. The same logs provide the computer name and/or the computer IP.
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!