In our last post, we explored how organizations using CrowdStrike as their primary AV can still benefit from Microsoft Defender for Endpoint (MDE) in Passive Mode—gaining advanced telemetry, Defender XDR integrations, and enhanced threat intelligence without disrupting existing security operations.
Let’s first start with the technical setup to ensure CrowdStrike Falcon operates as the primary antivirus (AV) while keeping Microsoft Defender for Endpoint (MDE) in Passive Mode for enhanced telemetry and security analytics.
Follow these steps to configure this hybrid approach
1 – Verify CrowdStrike Sensor Installation
Ensure the Falcon sensor is installed on all endpoints.
Open a CMD prompt as administrator and run sc query csagent
✔ If the sensor is installed and running, it will return: STATE: RUNNING
2 – Configure Falcon Policy in the CrowdStrike Console
Navigate to Endpoint Security > Prevention Policies
Select your policy and go to Next-gen antivirus settings
Enable “Quarantine & Security Center Registration”
This ensures CrowdStrike is the primary AV and forces Defender into Passive Mode
Save and apply the policy
3 – Verify Microsoft Defender is in Passive Mode
On a test endpoint, open PowerShell as administrator and run Get-MPComputerStatus | Select AMRunningMode
✔ The result should say “Passive Mode”
4 – Avoiding Conflicts Between CrowdStrike Falcon & Microsoft Defender
Add the following Defender processes and directories to the Falcon exclusion list:
📂 Directories to exclude:
- C:\Program Files\Windows Defender\
- C:\ProgramData\Microsoft\Windows Defender\
⚙ Services to exclude:
- MsMpEng.exe
- NisSrv.exe
Now, let’s take this a step further. How does this hybrid approach play out in real-world cyber threats? Here are three critical attack scenarios where keeping MDE enabled in Passive Mode provides additional visibility, detection, and response capabilities:
- Phishing Attack Leading to Endpoint Compromise
- Credential Theft & Lateral Movement
- Insider Threat & Data Exfiltration
In the coming sections, we’ll break down each scenario, explaining how MDE’s telemetry and integrations with Defender XDR, Sentinel, and Defender for Cloud Apps give security teams an edge in identifying, investigating, and mitigating these threats—even with a third-party AV in place.
Phishing Attack Leading to Endpoint Compromise
Phishing remains one of the most effective attack vectors for cybercriminals, often serving as the initial entry point for more sophisticated threats. Attackers craft convincing emails that lure users into clicking malicious links, which can trigger malware downloads or unauthorized system modifications. Without comprehensive threat hunting across email and endpoint data, it can be difficult to fully trace the impact of such an attack.
- Email logs in Defender for Office 365 show a user received and clicked a phishing link.
The email was delivered to the user’s inbox despite security filters, potentially bypassing detection mechanisms. The link led to a spoofed login page designed to steal user credentials or trigger a malicious file download. Attackers often use trusted services like SharePoint, Google Drive, or AWS to host malicious links, making them harder to detect.
- Defender for Endpoint detects that the link triggered a PowerShell script execution on the endpoint.
The user unknowingly executed a malicious script embedded in the downloaded file. The script ran PowerShell commands to bypass execution policies, ensuring persistence and avoiding detection. Attackers frequently use obfuscated PowerShell commands to evade security tools.
- The script attempts to modify registry settings or create a scheduled task for persistence.
The malware made changes to Windows registry keys to automatically execute after a system reboot. A new scheduled task was created to run the malicious script periodically. Persistence techniques like these ensure that the malware remains active even if the system is restarted or the initial process is terminated.
- Advanced Hunting across email and endpoint data helps analysts see the full attack chain and prevent similar attacks in the future.
Security teams can use Kusto Query Language (KQL) in Microsoft Sentinel to correlate email activity with endpoint behavior. Identifying attack patterns allows for proactive threat hunting and the creation of custom detection rules. Automated response mechanisms, such as blocking similar URLs, quarantining compromised devices, and enforcing conditional access policies, help mitigate future threats.
Credential Theft and Lateral Movement
Attackers often aim to escalate privileges and move laterally across an organization’s network to gain access to critical assets. This process typically begins with credential theft, where an attacker compromises a legitimate user account and uses it to navigate through the environment undetected. Microsoft Defender for Identity (MDI), Defender for Endpoint (MDE), and network telemetry play crucial roles in detecting and stopping this type of activity before it leads to full domain compromise.
- Defender for Identity detects an unusual login attempt from a compromised user account.
The login attempt originates from an unfamiliar or high-risk location that does not match the user’s normal behavior. The compromised account may have been obtained through phishing, credential stuffing, or brute force attacks. In some cases, the account shows signs of impossible travel, meaning logins are detected from geographically distant locations within a short timeframe.
- MDE telemetry shows the same account executing LSASS memory dumps, a common credential dumping technique.
Attackers frequently target Local Security Authority Subsystem Service (LSASS) to extract stored credentials from memory. This technique is commonly associated with tools like Mimikatz, which allow adversaries to retrieve plaintext credentials or NTLM hashes. The execution of LSASS memory dumps is a high-severity event that often precedes privilege escalation and lateral movement.
- Event correlation reveals that the attacker attempted RDP logins to multiple high-privilege machines.
After extracting credentials, the attacker tries to log in via Remote Desktop Protocol (RDP) to move across the network. Security logs reveal multiple failed RDP attempts, often targeting domain controllers, admin workstations, or sensitive servers. In some cases, successful RDP logins indicate that the attacker has gained administrative control, allowing them to deploy malware or disable security measures.
- By hunting across identity, endpoint, and network logs, security teams can stop lateral movement before it leads to a full domain compromise.
Analysts can use Advanced Hunting in Microsoft Defender XDR and Sentinel to correlate identity and endpoint data, identifying suspicious account behavior. Automated detection rules can flag unusual authentication patterns, privilege escalation attempts, and network reconnaissance. Security teams can take proactive response actions, such as forcing password resets, isolating affected endpoints, and blocking compromised accounts to mitigate further risk.
Insider Threat or Data Exfiltration Attempt
Insider threats and data exfiltration attempts pose a significant risk to organizations, as employees with legitimate access to sensitive data may attempt to transfer files to unauthorized destinations. This could be malicious (intentional data theft) or unintentional (accidental policy violations). Microsoft Defender for Cloud Apps, Defender for Endpoint, and Advanced Hunting in Microsoft Defender XDR provide the necessary visibility to detect and mitigate such risks before sensitive information is exposed.
- Defender for Cloud Apps detects an employee uploading many files to an unapproved cloud storage service.
Users may attempt to bypass security policies by moving confidential data to personal Google Drive, Dropbox, or other unapproved cloud storage solutions. This activity is detected by Microsoft Defender for Cloud Apps (formerly MCAS), which monitors SaaS application usage and flags unusual file uploads. A sudden spike in data transfers outside business hours or from a high-risk user (e.g., departing employees) raises suspicion.
- Endpoint logs reveal the same user copying sensitive files to a USB drive or transferring data to an external IP.
Defender for Endpoint (MDE) detects USB activity, identifying when a user copies bulk files to an external device. The copied files might include sensitive keywords, such as financial records, customer data, or intellectual property. Additionally, network logs reveal suspicious outbound connections, indicating that data is being transferred to an unknown external server or an IP address linked to a competitor or threat actor.
- Advanced Hunting correlates these actions, allowing security teams to investigate potential insider threats or unauthorized data access.
By cross-referencing cloud, endpoint, and network telemetry, analysts can connect the dots between multiple suspicious activities. Defender for Endpoint and Defender for Cloud Apps integration allows analysts to track a user’s complete activity timeline, helping determine intent. Security teams can automatically trigger alerts and enforce Data Loss Prevention (DLP) policies, blocking further data transfers and mitigating risks in real-time.
Final Thoughts: Strengthening Security with a Hybrid Approach
By enabling Microsoft Defender for Endpoint (MDE) in Passive Mode alongside CrowdStrike Falcon as the primary AV, organizations can significantly enhance their security posture without disrupting existing workflows. This hybrid approach provides:
✅ Comprehensive Visibility – Gain deep telemetry across endpoints, email, identity, and cloud security layers.
✅ Improved Threat Detection & Response – Leverage Advanced Hunting, Defender XDR, and Microsoft Sentinel to correlate attack signals across multiple vectors.
While third-party AV solutions focus on real-time protection, Defender’s passive mode capabilities allow security teams to strengthen detection, investigation, and response strategies, ensuring better visibility and faster incident resolution.
In our next article, we will cover Data Loss Prevention (DLP) for Endpoint to protect sensitive data from unauthorized access, leakage, or exfiltration while maintaining compliance with regulatory and organizational security policies.