I find this highly relevant to share at this day. Especially in regards to yesterday’s ‘false positive’ situation, where a lot of system admins got a good scare, when Defender for Endpoint reported that “Suspicious ‘PowEmotet’ behavior was blocked’ on a high percentage of the enrolled devices.
- Martin Bengtsson [MVP] on Twitter: “We are seeing a ton of activity in #Defender at this hour: “Suspicious ‘PowEmotet’ behavior was blocked”
What I really mean by this, is that when you have the option to reduce the attack surface of your environment, you should look into doing so ASAP.
Let’s say yesterdays situation was real, and you for whatever reason didn’t have behavior monitoring enabled in Microsoft Defender Antivirus. You would regret that pretty soon after being hit, when you realize that it could have been prevented.
Same goes for above. Rather look into enabling this new ASR (Attack Surface Reduction) rule today, rather than later after being compromised.