While talking about the protection mechanisms in modern cloud environments, one tends to forget the other side.
You must know your enemy in order to fight him successfully. Today we will build a lab to attack a modern Microsoft cloud environment that is protected by the brightest star on Microsoft’s security sky: Microsoft Defender ATP*.
*Windows Defender ATP was recently renamed to Microsoft Defender ATP, since it now also supports some functionality on MacOS (and more is planned)
But first, lets move to the dark side. I am sure you already heard of many of the tools used by attackers today, but have you ever used them to attack your own machines? Let’s see how that works!
Our lab is simple:
- 1 x Windows 10 1809, AAD joined, Intune managed, Microsoft Defender ATP secured, 100 % Cloud
- 1 x Kali Linux with Metasploit
In case you don’t know it, Kali Linux is a Linux distribution that comes with many important attacking and penetration testing tools. Metasploit is a framework for the complete kill-chain.
A kill-chain describes the process from the first contact of the attacker to the ‘promised land’ (whatever they are gaining to obtain).
Pic01: kill chain
Attack vectors are the first contact the attacker has with your property: He leaves a prepared USB stick on your company parking, he writes an Email with an attachment or with a link to your users, or he attacks you e.g. with a password spray attack.
In former times then, when he accessed ‘Patient 0’, the first computer: he was in. ‘In’ meant your managed environment, behind your firewalls. Now, in modern concepts, there is no ‘in’ or ‘out’ anymore. Clients are built to be always in an open network. This is, what makes one of the next steps harder: lateral movement. Hopping from one computer to the next was easier in former times, since everything inside the perimeter was considered as ‘safe’. (Is this still the case in your environment? Go 100% cloud!)
To move laterally, the attacker would try to gain more permissions (admin etc.) and gather more information about your network and directory (e.g. Global Address List discovery).
Now, let’s start with the fun part of this post. On the left you can see the Metasploit console, on the right, you see our Windows 10 client:
Pic02: our setup
First, we must choose an exploit we can use on the Windows machine. I have chosen exploit-db.com to find the appropriate exploit. I have then decided to take an exploit in a popular video player software, VLC:
Pic03: choose an exploit
This exploit is a so called ‘use after free’ exploit that tries to use memory that was just freed from the application.
Many exploits are already integrated in the Metasploit database, however, ‘my’ exploit wasn’t. The VLC exploit is quite new. Exploit-db.com gives you the possibility to download the exploit, so that you can use it in Metasploit. After download, you just tell Metasploit to use it:
Pic04: use the exploit
With ‘show payloads’, you can examine the possible payloads of this exploit. When you read the description of the exploit, you see that the author of the exploit recommends to only use certain payloads with the exploit since others (e.g. the meterpreter payload) crashes the application:
Pic05: show payloads
With show options you can see what options are necessary to configure the exploit:
Pic06: show options
In the options above, we see, that the exploit will generate two MKV (video) files. The first has to be opened by the victim (the second has to reside in the same directory). We also see, what settings are already set or still empty. The only setting that is missing here is ‘LHOST’, the IP address of our attacking machine. So let’s set it:
Pic07: set LHOST
That’s it, we are ready to run the exploit:
Pic08: run the exploit
As expected, Metasploit has generated the two .mkv files for us:
Pic09: here we go
Now, when we remind ourselves on the kill-chain diagram at the beginning, we need an attack vector. How do we distribute the .mkv files to the victim? Well, that is pretty easy, we can zip it and send it by Email or – that’s what I did-, we can put it on Dropbox and share it with the user. If you attach it with a ‘social-engineering made up’ text, you can make sure that it is being watched, or better: ‘double-clicked’. (I just had to convince myself).
The .mkv files are on the client now. In the meanwhile, we need to setup a ‘Listener’ on our attacking machine that waits for the victim to double-click on the .mkv file. I have decided to create a reverse shell handler (which is also the default payload option for the exploit):
Pic10: setup the listener
When you observe the above screenshot, you see that we ‘use’ an exploit again, in this case for the listener “exploit/multi/handler”, we then set the payload and the ‘LHOST’ IP and are then ready to exploit (run) it:
Pic11: start the listener
The listener is now doing what it should: listening. I now went on the Windows 10 machine and double-clicked the first .mkv file. After a few seconds, I started to receive some data on the listener and finally got a Windows command prompt on my Kali Linux machine!
And what do you do, when you have a command prompt on a unknown Windows machine? Exactly, I did a ‘DIR’:
Ok, that was a hesitantly first try – I must admit that, let’s get gutsy and start something:
Pretty cool, isn’t it? Meanwhile on the good side of the planet, Microsoft Defender ATP started sending me first Alerts:
In the artifact timeline we can see which application triggered the alert:
Pic15: artifact timeline
Uh-huh, VLC seams to make some bad stuff on one of the Windows clients in my environment 😊 As we can see in the process tree, ATP has exactly found what our exploit was doing, it started allocating some free memory (like in the exploit description: ‘use after free’):
Pic16: process tree
Anyway, lets try to get a step further. I am trying now to upgrade the remote shell session to a meterpreter session. With meterpreter we have more possibilities. You can easily run a keylogger, Mimikatz or much more. To upgrade to meterpreter, we have to put the remote session into a background session by pressing ctrl+Z. Then we use the exploit “shell_to_meterpreter”:
Pic17: trying to start a meterpreter session
With ‘sessions’ we can see the current remote shell session. We set the exploit to session 1 to tell the shell_to_meterpreter exploit to use our remote shell session to upgrade, then we run the exploit:
Pic18: not working somehow
With that, ATP freaked out:
Pic19: new alerts in ATP (1)
Pic20: new alerts in ATP (2)
And we didn’t get any new (meterpreter) session, but still have just the remote shell session:
Pic21: no new session
What happened? As we can see in the ATP machine timeline, it was ATP’s friend Windows Defender Antivirus that remediated our attempt to attack the machine with the meterpreter payload:
Pic22: friends will be friends (Windows Defender Antivir did the job)
Which is good or bad, depending on the perspective. Let’s take a look on the complete alert history:
Pic23: Alerts queue
What scared me a little here is the fact that all these alerts had an assigned severity of “medium”. So, you really must look into your medium alerts!
Windows Defender and Microsoft Defender ATP worked hand in hand in my scenario. However, I had access to the targeted machine and could execute arbitrary code (calc.exe). ATP recognized that – which is good, but wouldn’t it be even better if we could get a hint upfront?
Microsoft Defender ATP Threat and Vulnerability Management
Microsoft is currently rolling out this new feature to tenants worldwide. With TVM, ATP gathers information about the applications on your clients, the installed versions and the configuration. This data is then compared with Microsoft’s Threat Intelligence. That’s why ATP could already tell me before my Windows 10 machine was attacked that it has a vulnerability in an application called “VLC”:
Pic24: we could have known before
ATP even tells me which vulnerabilities are associated with the installed version of VLC:
Pic25: CVEs associated with the software version
You might have recognized that our CVE is (the second) is listed. When we click on this CVE, we get a description that is quite similar to the description on exploit-db.com:
Pic26: CVE details
I have just scratched the surface. After I had access to the target machine and was able to execute calc.exe, I gave up quite early when the meterpreter session couldn’t be established. There are many possibilities to obfuscate the payload to make it harder to be recognized. The fact that ATP noticed that the VLC exploit allocated just freed memory shows the real power of the tool, the power of behavioral analysis.
Threat & Vulnerability Management completes Microsoft Defender ATP. It gives you a vulnerability-based view on the application landscape of your environment and gives you prioritized advices on how to get rid of the vulnerabilities before it gets actively exploited.
However, to be able to judge the importance of tools like Microsoft Defender ATP, you must betake yourself to the red-team’s point of view. If you try to think like an attacker, you will be better able to understand how to protect your environment. So … go, hack yourself!