Introduction If you’re securing a small/medium enterprise with Microsoft Defender for Business, downloading a detected malicious file for further analysis is an important step in the incident response process. Normally, the Download File response action is available only for Defender for Endpoint P2, but we can achieve the same effect by combining features present in Defender for Business: Live Response and PowerShell scripts. Prerequisites Live Response and Live Response unsigned script execution need to be enabled within Settings → Endpoints → Advanced Features. The incident responder needs to have at least the Security Administrator role. Process For demonstration, I download the EICAR test file. Within the Evidence and Response tab of the malware incident, we find the full path of the offending file before it was quarantined: C:\Users\narek\Desktop\test.txt ...

Introduction Plugins enable extending Claude Code’s functionality by adding: MCP Servers LSP Servers Agents Skills Hooks The threat landscape of Claude Code Plugins is diverse since everyone can host their own marketplace (e.g. on a GitHub repository), and it may even be automatically indexed by claudemarketplaces.com. This post focuses on the risk posed by Hooks from malicious a Claude Code Plugin. I will also provide a method for enumerating Plugins within your enterprise fleet, as well as mitigating this risk via marketplace allowlisting. ...