Today we setup an interesting simulation that tested Microsoft Defender for Endpoint in a standard deployment (without ASR but with things like BlockMode enabled), then tried out their new EvaluationLab where endpoints come hardened per Microsoft’s specs and also tested an unnamed IR team’s ability to detect based on their automation and hands-on-keyboard skills.
After an extremely engaging conversation with a colleague who spent years in the intelligence service, I wanted to employ some of the real-world tactics that he had observed nation states utilizing. One thing that he said that really stuck with me was, “Most of the time [APTs] they will operate in Medium integrity,” as to only use as much privilege as needed to complete an objective. My colleague went on to explain that other times they will create “noise” elsewhere to distract from their real intention. It was these thoughts that inspired our testing today, we wanted to give the defense automation some exercise but also the humans that knew activity was coming and were on alert for it.
As with all Cyber Mongol simulations, we look to our CCI automation to let us know where there is human activity in the opensource or commoditized tradecraft ecosystem. We selected a PE injection which would memory map another process injector (utilizing callbacks) to inject a Covenant C2 implant into “c:\Windows\System32\manage-bde.exe,” which is the legitimate process for BitLocker. This would be our sneakiness to attempt to fool the skilled humans that were tasked to find us.
So now, if we are going to mimic the conversation I had with my colleague, we would need some loud and proud movements that would draw the human’s attention away from what we actually wanted to accomplish. We would basically try to accomplish the same goal stated above but in a high integrity context. For this we saw that UACME (very popular tradecraft for UAC bypass) had some recent additions and decided to use the following code, (https://github.com/hfiref0x/UACME/blob/master/Source/Akagi/methods/azagarampur.c). We were counting on the fact that because this tradecraft was added to a social structure with such a large social amplification, getting it noticed by the defenders would be relatively a sure thing – but also kill us for MDE automation.
Lastly, we wanted to test two flavors of Microsoft Defender for Endpoint. The first would be a more standard deployment with BlockMode and automated investigations enabled but not utilizing things like Attack Surface Reduction methods. The second test would be using Microsoft Defender for Endpoint’s EvaluationLab where all the defense bells and whistles are enabled by default.
IR Team: The team did well at articulating the UAC bypass that injected a Covenant Grunt in high integrity but were unable to thoroughly convey our true intentions (medium integrity injection resulting in C2 comms through manage-bde.exe). They did see that the dropper interacted with the legitimate Bitlocker process from the suspect directory and reached out to our already burned IP address, instead of using something nice like proxying through an Azure/Microsoft domain.
Microsoft Defender for Endpoint Standard Deployment: In this configuration, Microsoft Defender for Endpoint was unable to block any execution but did articulate the UAC bypass and the PE re-mapping of manage-bde.exe. Ultimately, the automated investigation found the PE injection to be benign.
Microsoft Defender for Endpoint EvalutionLab Config: Full shutdown of our operation – zero execution. Well done!