Microsoft Defender ATP Product Integration

Microsoft Defender ATP Product Integration

Microsoft Defender ATP is a fantastic product on its own and becomes even more impressive when integration between other Microsoft products takes place. This blog post will explain the advantages of integration with Microsoft Defender ATP and how the products complement each other.

Microsoft Defender ATP and Microsoft Office 365 ATP

Through threat intelligence sharing, a malicious attachment identified in Microsoft Office 365 ATP will be identified as malicious in Microsoft Defender ATP as well to block the same malicious file at the endpoint. A file downloaded using a different channel is blocked automatically on the endpoint due to integration between Microsoft Defender ATP and Microsoft Office 365 ATP.

Another advantage of the integration between Microsoft Defender ATP and Microsoft Office 365 ATP is an overview of devices shown that potentially could have been affected by a detected malicious e-mail message. The summary includes how many recent alerts those devices have in Microsoft Defender ATP.

The integration needs to be enabled in Microsoft Office 365 ATP and within Microsoft Defender ATP.

Microsoft Office 365 and Microsoft Defender ATP integration
Microsoft Defender ATP and Microsoft Office 365 integration

Note: Your organization must have Office 365 ATP Plan 2 and Microsoft Defender ATP.

Microsoft Defender ATP and Microsoft Azure ATP

A simple but powerful integration between Microsoft Defender ATP and Microsoft Azure ATP is the alerts shared between the two products.

The Microsoft Azure ATP portal shows Microsoft Defender ATP alerts, and the Microsoft Defender ATP portal shows Microsoft Azure ATP alerts.

Windows Defender ATP alerts in Microsoft Azure ATP
Microsoft Azure ATP alerts in Microsoft Defender ATP

The integration needs to be enabled in Microsoft Azure ATP and within Microsoft Defender ATP.

Windows Defender ATP integration with Microsoft Azure ATP
Microsoft Azure ATP integration with Microsoft Defender ATP

Microsoft Defender ATP and Azure AD Conditional Access

Microsoft Intune supports the integration between Microsoft Defender ATP and Azure AD Conditional Access.

If a device is non-compliant due to a Microsoft Intune policy, Conditional Access can block the device from accessing company data.

Block non-compliant devices with Conditional Access

Microsoft Defender ATP and Azure Security Center

The integration between Microsoft Defender ATP and Azure Security Center Standard Tier automatically enables the Microsoft Defender ATP sensor for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 monitored by Azure Security Center. Windows Server is automatically on-boarded with integration enabled.

Alerts in Microsoft Defender ATP are shown in the Azure Security Center as well.

To integrate Microsoft Defender ATP with Azure Security Center, use the following option.

Microsoft Defender ATP integration with Azure Security Center,

Microsoft Defender ATP and Skype for Business

A minor but helpful benefit of Skype for Business integration with Microsoft Defender ATP is a one-click communication with the user.

Skype for Business integration with Microsoft Defender ATP

To integrate Microsoft Skype for Business with Microsoft Defender ATP, use the following option.

Skype for Business integration with Microsoft Defender ATP

Microsoft Defender ATP and Microsoft Threat Protection

Microsoft Threat Protections and various Microsoft security solutions natively integrate Microsoft Defender ATP and other Microsoft security solutions. More on Microsoft Threat Protection in a future blog post.

Conclusion

This blog post is about integration with Microsoft Defender ATP alone. Integration with Microsoft Defender ATP has many benefits, as shown in this blog post. Imagine data correlation and integration between all Microsoft products.

Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator is used to determine how end users behave in the event of a phishing attack, and checks for weak passwords within your tenant. In one of my previous blog post, I already mentioned the Attack Simulator, and in this blog post, I will go into the Attack Simulator in more depth.

Microsoft Office 365 ATP Attack Simulator consists of four simulated attacks: Spear Phishing (Credentials Harvest), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), and Password Spray Attack.

Note: The difference between a Brute Force attack and a Password Spray attack is that with a Brute Force attack, you are trying to log-in on a single identity with multiple passwords. With a Password Spray attack, you are trying to log-in with a unique password on various identities. Microsoft Office 365 ATP Attack Simulator contains both.

An overview of all possible attacks within the Attack Simulator

Spear Phishing (Credentials Harvest)

Let us take a look at the Spear Phishing (Credentials Harvest) attack first.

A spear phishing attack is a targeted attempt to acquire sensitive information like user names and passwords by masquerading as a trusted entity on a targeted victim. This Spear Phishing attack will use a website to obtain usernames and passwords by asking the victim to log-in.

Let us take a look at what options we have if we launch a Spear Phishing (Credentials Harvest) attack. We can use two different templates: Prize Giveaway and Payroll Update, but you can change any detail as well if needed during the wizard.

Provide a name to the campaign

The next option is to whom we send the phishing e-mail.

Select the recipients

Note: The total recipients that a single campaign can support is 10.000 recipients. You can either select an individual recipient or import a list of recipients.

The next step is to select the e-mail details.

Provide e-mail details

At this moment you can only select a domain from a list as a phishing landing page, which includes:

http://portal.docdeliveryapp.com
http://portal.docdeliveryapp.net
http://portal.docstoreinternal.com
http://portal.docstoreinternal.net
http://portal.hardwarecheck.net
http://portal.hrsupportint.com
http://portal.payrolltooling.com
http://portal.payrolltooling.net
http://portal.prizegiveaway.net
http://portal.prizesforall.com
http://portal.salarytoolint.com
http://portal.salarytoolint.net

The last option which you can set is the body of the e-mail. Since I selected a template at the beginning of the wizard, an e-mail body is already created but can be changed.

E-mail body
E-mail body as code

The Phishing Campaign is pretty good, and I love seeing this all happening within the tenant. Here is my concern about the phishing campaign though:

  1. Even though Microsoft uses HTTP on purpose due to security awareness, I think HTTPS should also be supported as phishing websites do not limit itself to HTTP either.
  2. There is a set of domain URLs that you can choose for the phishing campaign. I would like to see custom domains to make the campaign more realistic.
  3. The capture portal does not look like a Microsoft Office 365 log-in portal. It would be better to set a custom capture portal (e.q. with a company logo or a copy of an ADFS portal) to make it more realistic or a replica of the Microsoft Office 365 log-in portal.
  4. The user can log-in to the portal using a user name and password, but there is no multi-factor authentication support. Since Microsoft forces companies to enable multi-factor authentication, support for multi-factor in the phishing campaign would be very welcome.

Spear Phishing (Attachment)

Now let us take a look at the Spear Phishing (Attachment) attack.

The idea of the Spear Phishing (Attachment) attack is the same as the Spear Phishing (Credentials Harvest) attack except for two options: Attachment Type and Attachment Name.

Select attachment type

The recipient will see the following message when opening the attachment:

View of phishing attachment

The recipient also receives a link in the e-mail that goes to a phishing landing page. The idea is the same as the Spear Phishing (Credentials Harvest) attack by forcing the victim to log-in to the portal to steal user names and passwords.

Here I have some concerns as well:

  1. The attachment does not work when you open it in view mode. If you open the attachment in view mode, Attack Simulator does not notice it.
  2. The attachment does not contain anything malicious. I would love to see a Word document with a macro as a malicious attachment for the attack to be more realistic.

Brute Force Password (Dictionary Attack)

The idea behind a Brute Force Password attack is to try to guess a password for a single identity using as many passwords as possible.

Brute Force Password (Dictionary Attack)

I have some concerns here as well:

  1. This Brute Force Password (Dictionary Attack) attack or the Password Spray attack does not work when multi-factor is enabled. The Attack Simulator works but does not show any results when MFA is enabled, making it useless.

Note: If you want to ban known or weak passwords, I recommend looking at the Password Protection feature in Azure AD Premium.

Password Spray Attack

The Password Spray Attack is the same as the Brute Force Password (Dictionary Attack), except here is a single password used on multiple identities.

Password Spray Attack

Conclusion

I like the idea that anyone can create a phishing campaign with a few clicks of a button. What I like most is that all data never leaves the tenant. 

Unfortunately, the Attack Simulator needs a lot of work before it can be considered a proper awareness campaign service. If you want to ban well-known passwords from your tenant, I recommend the Azure AD Premium feature: Password Protection instead of testing passwords using the Attack Simulator.

Even though I have some concerns, the Attack Simulator is only one of many features in the Microsoft Office 365 ATP license. Looking at other elements like Safe Attachment, Safe Links, Anti-phishing policies, Reporting, and Automated investigation and response in the Microsoft Office 365 ATP license, I would recommend any organization to purchase Microsoft Office 365 ATP. Safe Attachment, Safe Links, Anti-phishing policies, and Automated investigation and response are a must-have, but I will go in-depth on these later.

Microsoft Office 365 Incident Response using the Portal

Microsoft Office 365 Incident Response using the Portal

A Computer Emergency Response Team (CERT) is a group of information security experts responsible for responding to an organization’s cybersecurity incident. When an event occurs within Office 365, many products can help identify and mitigate the threat, including Microsoft Office 365 Advanced Threat Protection (ATP). Microsoft Office 365 ATP is part of Office 365 E5, Microsoft 365 E5, or Microsoft Security E5. Other tools within the Microsoft 365 E5 suite can help you identifying and mitigating an incident, but what if you do not have an E5 license? In this blog post, I will go more in-depth about what to do if you do not have Microsoft Office 365 ATP with just the portal on a single identity.

Litigation Hold

The first thing I would recommend to do during an incident within Office 365 is to check if a mailbox needs a Litigation Hold. Litigation Hold can preserve all mailbox content, including deleted items and original versions of modified items. The second thing I would recommend is to check what license plans are available within the tenant. Looking at the license plans helps identify which tools are available within the tenant. The last thing I would recommend is to be in control as quickly as possible. If you identified a compromised user, initiate a password reset as soon as possible to prevent lateral movement. Do not forget to sign-out this all Office 365 sessions.

Initiate Sign-out

To initiate a sign-out from all Office 365 sessions, go to Users > Active users from within the Office 365 portal, click on the user account to open the user’s properties page, and click initiate sign-out.

Unfortunately, this does not mean you are in control of the situation. One of my biggest concerns is: What did the attacker find in the mailbox? Did the attacker recover a password that the attacker can use to login to another inbox and get undetected? Did the attacker recover a password for a third-party application outside the tenant, but which can have a business impact?

Search History

If there is any indication that an attacker was logged-in to a mailbox, you can search for malicious activities. There is an option to export all search history, which can help identify what the attacker was looking for in the inbox. Exporting the search history can be done by going to Settings in the top right corner within Office 365, click on View all Outlook settings, go to General, go to Privacy and data.

Export Search History

Most hackers use persistence to keep a connection to the inbox. Persistence can be as simple as mail forwarding rules, inbox rules, or a combination of the two.

Forwarding Rules

To get the forwarding rules and inbox rules, go to Settings in the top right corner within Office 365, click on View all Outlook settings, go to Mail, followed by Forwarding and Rules.

Inbox Forwarding
Inbox Rules

Deleted Items

Most hackers want to be undetected as long as possible. A way to be undetected is to delete all incoming e-mails using a rule and remove them from the deleted items. Luckily, the recovery of these items is possible: Open the user’s inbox, go to Deleted Items, and click Recover items deleted from this folder.

Recover Deleted Items

Illicit Consent

Illicit consent grant attack is an attack where a malicious user creates an Azure-registered application that requests access to data such as contact information, e-mail, or documents. The malicious user needs to trick a victim into going to a website and grant access to their account.

To check if a user granted application consent to access their data., go to Azure Active DirectoryUsers, Select the user, and click Applications. Be sure the list does not contain malicious applications.

Registered Applications

Sign-ins and Audit logs

The sign-ins and audit logs from the Azure Active Directory give you a lot of information about the identity. The Sign-ins and audit logs include the location of sign-in, IP address, client application used, user agent, device info, identity activities, etc.

To get the Sign-ins and Audit logs, go to Azure Active DirectoryUsers, Select the user, and click Sign-ins or Audit logs.

Sign-ins logs

Content Search

Use the Content search and Audit log search to find all tenant activities, including file activity, folder activity, SharePoint list activity, Exchange mailbox activity, etc. You can use the content search tool to search for e-mail, documents, and instant messaging conversations based on conditions like date, sender, recipients, subject, etc.

Note: Audit log search is not turned on by default. Microsoft is changing the default option, so it is enabled by default soon. If the option is disabled, you will see a message saying Turn on auditing.

Audit log search

eDiscovery

With eDiscovery, you can do the same as with Content search, but now you are creating a case that you can use to handle the incident. You can add engineers to the case, set mailboxes and data on hold that are part of the case, etc. Advanced eDiscovery is the same as eDiscovery, except you get many more settings and options.

e-Discovery

Message Trace

To track the flow of e-mail messages in your organization, you use Message Trace. If you want to know which e-mail sent to whom in what time range, Message Trace is the tool within the portal.

View Alerts

The last view I can recommend is the Alert View. The alert view gives a good overview of any risk level alerts available within the tenant.

Conclusion

With just the portal and no E5 licenses, it is “hard” to investigate an incident. In another blog post, I will go in-depth to do a proper analysis with tooling like PowerShell.

Microsoft Azure AD Premium

Microsoft Azure AD Premium

Every Microsoft 365 tenant contains an Azure AD free edition. The free version includes Core Identity and Access Management, and Business to Business Collaboration. Even though the free edition comes with many features like Multi-Factor Authentication (MFA), Password ProtectionAzure AD Connect sync, and Single Sign-On (SSO), Microsoft offers two additional plans called Azure AD Premium P1 and P2.

This article will explain the differences between the two and take a more in-depth look into Azure AD Premium.

Azure AD Premium Features

The difference between Azure AD Premium P1 and P2 is Identity Protection and Identity Governance. But before we look at the features of Identity Protection and Identity Governance, let’s take a look at the premium features first.

The free version contains Password Protection, but it is not possible to use custom banned passwords. Custom banned passwords is one of the premium features. You can set a list of passwords that users cannot use as their password. Simple passwords like “Company Name” is not allowed. Password Protection for Windows Server Active Directory does the same as Password Protection, but for on-premises.

Self-service password reset eliminates the users to call the ServiceDesk to change their password. The user can change their password on a portal that does not need any support from the company. Azure AD Join makes it possible to auto-enroll your mobile device.

A noticeable feature in Azure AD Premium is Conditional AccessConditional Access, as the name implies, grants, or block access to certain conditions. You can force MFA, block specific applications, block legacy authentication, etc.

Identity Protection and Identity Governance.

An Azure AD Premium P2 feature not included in Azure AD Premium P1 is Identity Protection and Identity GovernanceIdentity Protection is a feature that detects risky accounts based on many indicators (atypical travel, malware linked IP address, and many more). Conditional Access uses these detections to allow or block an identity. Using Identity Protection makes it possible to mitigate an attack within seconds due to an automated response to a risky user.

Identity Governance contains Privileged Identity Management (PIM), Access Reviews, and Entitlement ManagementPIM makes it possible to control, manage, and monitor access to essential resources in your organization. PIM provides Just-In-Time (JIT) access to Azure AD and Azure resources, assign time-bound access, asks for approval, and much more. Identity Governance also includes Access Review to review access regularly to make sure only the right people have continued access.

Conditional AccessIdentity Protection, and Privileged Identity Management help organizations control their identities and definitely worth checking.

Licensing

Azure AD Premium comes with Microsoft 365 E3, Microsoft 365 E5, or a separate license.

Microsoft Office 365 ATP

Microsoft Office 365 ATP

Every Office 365 tenant, which includes e-mail, is protected by Exchange Online Protection (EOP). EOP is a cloud-based e-mail filtering service that protects against spam and malware. EOP filters inbound and outbound e-mail using rules and policies based on the sender’s reputation, keywords, e-mail address, and sophisticated algorithms.

When it comes to phishing, security awareness of your employees is critical. Any given employee needs to be able to identify if an e-mail they received is malicious. If a malicious e-mail is received, the employee should then know what to do when it comes to handling the e-mail.

Microsoft Office 365 ATP helps lower the risk of a user receiving a malicious e-mail in their mailbox. EOP is the first line of defense e-mail filtering, whereas Microsoft Office 365 ATP is the advanced cloud-based e-mail filtering. In this blog post, I will take a more in-depth look into Microsoft Office 365 ATP.

Microsoft Office 365 ATP Protection

Configuration, protection, and detection

The “main” features of Microsoft Office 365 ATP are Safe Attachments, Safe Links, and Anti-Phishing policies.

Safe Attachments

Safe Attachments is a feature that protects the organization from malicious attachments being received by e-mail and blocks files that identify as malicious in Teams and document libraries (OneDrive and SharePoint). Safe Attachments uses machine learning and analysis techniques to detect malicious intent.

There are several options that you can configure for Safe Attachments: monitor, block, replace, and Dynamic Delivery. All attachments, before delivery, are scanned in a sandbox for malicious content. With Dynamic Delivery, the e-mail gets delivered in the user’s inbox, and with a slight delay, the attachment will be attached to the e-mail if the attachment considered to be safe. The slight delay will have a user-impact since the e-mail is delivered first and the attachment later.

Safe Links

Safe Links is a feature that protects the organization from malicious links sent in an e-mail. The original URL will be re-written after being scanned. The original URL will still be shown by the end-user to prevent confusion, but when the user clicks the link, it will first go to “safelinks.protection.outlook.com/?url=<original url>” for monitoring purposes. Once a user clicks a link, Microsoft knows who clicked the link since it first goes to the re-written link before the user visits the original URL. During an incident, it is nearly effortless to detect which user clicked the link to mitigate the attack by acting (a password reset, for example).

Anti-phishing

Anti-Phishing policies use machine learning models and advanced impersonation-detection algorithm to prevent impersonation of users and domains. When the sending domain or sending user has suspecting malicious intent, Anti-Phishing will prevent the e-mail from delivery. An administrator can set different options what will happen with suspicious e-mail. So if your company is called thalpius.com and you will receive an e-mail from thallpius.com (hence the double L), the e-mail is marked as suspicious if other indicators identify as spam. A suspicious e-mail can be as simple if the sender’s name is the same as the recipient’s name, the signature used in an e-mail, text in the body’s content, etc.

Zero-hour Auto Purge

Even with all these countermeasures in place, more advanced hackers will eventually get an e-mail delivered in the mailbox. When this happens, Explorer is the tool to hunt manually, but there’s an automated tool as well called Zero-hour Auto Purge (ZAP). ZAP is an e-mail protection feature that retroactively detects and neutralizes (e.q. deleting) malicious phishing, spam, or malware messages delivered to Exchange Online mailboxes. If Microsoft identifies a malicious e-mail, ZAP will remove the malicious e-mail in all Exchange Online mailboxes.

Attack Simulator

At the beginning of the blog post, I mentioned: “awareness of your employees is critical.” Microsoft recognizes this as well and created a feature called the Attack Simulator. Attack simulator contains four simulated attacks that you can use to higher the user’s awareness within your tenant. The four attacks include; Spear Phishing (Credential Harvesting), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), Password Spray Attack.

Licensing

Microsoft Office 365 ATP is a separate license, but it comes with additional license plans as well. There are two different licenses: Plan 1 and Plan 2. Microsoft Office 365 ATP Plan 2 includes Microsoft Office 365 ATP Plan 1, including Threat Tracker, Explorer (advanced threat investigation), Automated investigation and response, and the Attack Simulator.

Microsoft Office 365 ATP Plan 1 comes with the following license plan: Microsoft 365 Business Premium.

Microsoft Office 365 ATP Plan 2 comes with the following license plans: Office 365 E5, Office 365 A5, and Microsoft 365 E5.

Microsoft Defender ATP

Microsoft Defender ATP

Gartner named Microsoft as a leader in the endpoint security platform back in 2019. Looking at Microsoft Defender Advanced Threat Protection (ATP) today, the product has evolved even more. Most people may recognize the name Microsoft Defender, but do not know the name ATP. That is because Microsoft Defender ATP is more focussed on the business market, whereas Microsoft Defender is more focussed on the consumer market. This article will explain the differences between the two and take a more in-depth look into Microsoft Defender ATP.

Microsoft Defender vs Microsoft Defender ATP

Two Microsoft products protect your device from malware; Microsoft Defender and Microsoft Defender ATP. Microsoft Defender is an antivirus solution where Microsoft Defender ATP is a paid Endpoint Detection and Response (EDR) solution. The difference between the two is that an antivirus solution protects the device from known malware, where an EDR solution protects the device from known malware, and it looks at the program’s behavior. This way, an EDR solution can prevent an attack even when it is not yet known as malicious.

Microsoft recently changed Windows Defender ATP’s name to Microsoft Defender ATP due to the many platforms Microsoft Defender ATP supports. These include Windows, macOS, Linux, Android (private preview), and iOS (public preview).

Microsoft Defender is a non-centralized antivirus solution for consumers where Microsoft Defender ATP is an endpoint-protection platform for an organization. Microsoft Defender ATP is a cloud-based solution that contains a dashboard to get a clear overview of the health of your devices within your organization.

Microsoft Defender ATP Dashboard

Even though Microsoft Defender and Microsoft Defender ATP are two different products, they do compliment each other. You can install a non-Microsoft antivirus solution, but there are many advantages to run Microsoft Defender and Microsoft Defender ATP together. The benefits of Microsoft Defender ATP are endless, but I will highlight the most important ones.

Microsoft Defender ATP

Microsoft Defender ATP integrates perfectly with other Microsoft security products like Microsoft Cloud App Security (MCAS), Microsoft Intune, Azure Information Protection, Azure ATP, Office 365 ATP, and Microsoft Threat Protection (MTP). Integration is used for data correlation to evaluate an event quicker and more accurately. If you use the full Microsoft stack products and configure it correctly, only nation state-sponsored attackers might have a chance to get unnoticed.

Microsoft Defender ATP is one of the best EDR solutions out there, and third-party sources can be used as input for data correlation to make an even better evaluation if something is malicious.

Threat & Vulnerability Management

Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender ATP that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. Microsoft Defender ATP maintains a software inventory per device to evaluate the software installed on the device if it is out-of-support or if it contains any vulnerabilities. Microsoft also recommends security mitigations based on what it detects on the endpoint. Old used protocols are security recommendations, for example.

Incident Response

When an incident occurs, you can start a scan initiated from the portal, restrict all apps that are not signed by Microsoft or isolate the device entirely from the network. If a device is in isolation mode, the only communication that can take place between the device and the Microsoft Defender ATP portal. At this point, you can still investigate the incident and take mitigation steps. Automated remediation takes this a step further and automatically apply the mitigation steps recommended by Microsoft. The automatic remediation steps can be approved manually or even automatically to stop an attack as soon as possible.

Incident Graph

My favorite feature of Microsoft Defender ATP is the incident graph. The incident graph is a responsive view. The incident graph tells the story of the cybersecurity attack in a single overview.

Microsoft Defender ATP Incident Graph

Threat Experts

There is an option to call a threat expert from Microsoft if you need help. Threat Experts can help when your organization has an urgent threat that needs to be analyzed. The threat Expert will help investigate the root cause or scope of the incident. Once enabled in the advanced features options, a 30-day trial will start. If your organization wants to have permanent threat experts support, you will need to have at least 10.000 seats.

Licensing

Microsoft Defender ATP is a separate license, but it comes with additional license plans as well. Microsoft Defender ATP comes with the following license plans: Windows 10 E5, Microsoft 365 E5, and Microsoft 365 E5 Security.

Microsoft Defender ATP Licenses

Conclusion

Microsoft Defender ATP is one of the best, if not the best, Endpoint Detection and Response (EDR) solutions out there. Microsoft Defender ATP is more than an EDR solution. Microsoft Defender ATP detects outdated software, vulnerabilities, automated responses to threats, and integrates into other Microsoft products, which increases security due to data correlation.

For more information about Microsoft Defender ATP, check this link.

Microsoft PrintDemon vulnerability

Microsoft PrintDemon vulnerability

PrintDemon (CVE-2020-1048) is a vulnerability that uses the Windows Printer Spooler to escalate privileges, bypass Endpoint Detection & Response (EDR), and gain persistence. The Windows Printer Spooler has a long history of vulnerabilities, including a vulnerability (CVE-2010-2729) used by the well-known Malware called Stuxnet in 2010.

A printer must be associated with two attributes: A printer port and a printer driver. Setup the printer port to ‘PORTPROMPT, makes it possible to print to a file. There is no check when using the PowerShell command ‘Add-PrinterPort’ if the user has permission to access the location set as the printer port. So the user is free to set any location for the printer port as a low-privileged user. When you print to the printer, it uses the printer port to print to a file. If the user does not have write permission to the location, the print job gets queued. Once you restart the spooler service, the print job will execute with SYSTEM privileges, and the file will also get dropped with these privileges. Since SYSTEM is a high-privileges account, you can drop a file anywhere on the system as a low-privileged user, hence the name privilege-escalation.

There was one problem, however. When you print a string to the printer, it looks like there are some markup bytes at the beginning of the file as the printer thinks you are printing and not to a file. Since the first few bytes of a file is the signature (magic bytes) of a file, it can not be touched if you want to execute it in a usual way.

PowerShell commands used during the attack

I wanted to check if I was able to write a valid executable file to disk without any markup bytes at the beginning of the file. The script linked below creates a printer with a malicious printer port and write a byte array to the newly created printer. This way, it is possible to dump a valid binary on disk as SYSTEM once you restart the spooler service. Attacks like DLL hijacking is possible as a low-privileged user using the PrintDemon bug.Microsoft released a patch last week. After installing the patch, the system checks if the user has permissions, which you set as a port on a printer, before creating the port.Unfortunately, the patch prevents creating a new malicious port, but malicious ports created before the patch still work.

The C# code can be found here and the PowerShell code can be found here.

Microsoft PowerShell Unhide

Microsoft PowerShell Unhide

PowerShell supports a command line parameter “WindowStyle” as shown below. The parameter “WindowStyle” sets the window style for that session. Valid values are Normal, Minimized, Maximized, and Hidden.

PowerShell[.exe]
    [-PSConsoleFile <file> | -Version <version>]
    [-NoLogo]
    [-NoExit]
    [-Sta]
    [-Mta]
    [-NoProfile]
    [-NonInteractive]
    [-InputFormat {Text | XML}]
    [-OutputFormat {Text | XML}]
    [-WindowStyle <style>]
    [-EncodedCommand <Base64EncodedCommand>]
    [-ConfigurationName <string>]
    [-File - | <filePath> <args>]
    [-ExecutionPolicy <ExecutionPolicy>]
    [-Command - | { <script-block> [-args <arg-array>] }
                | { <string> [<CommandParameters>] } ]

Most malicious PowerShell scripts run PowerShell with the window style “Hidden”. When the process starts with WindowStyle hidden, no PowerShell console is displayed, so it runs unnoticed for the logged-in user. I created a script to unhide all PowerShell processes. This script can be used during a CERT incident when you want to unhide all PowerShell shells to see what commands are used.

WindowStyle Hidden and unhide PowerShell

The PowerShell script can be found here.