Step by Step

for Anyone

Windows Defender ATP

Deploy, Simulate and Analyze Advanced
Attack
Table of Contents
1 Some Thoughts & Me...................................................................................................................................................... 3
2 Data, Post-Breaches & EDR ............................................................................................................................................. 4
2.1 Data Breach ............................................................................................................................................................. 4
2.2 Kill Chain Scenario ................................................................................................................................................... 5
2.3 Cyber Attack Phases ................................................................................................................................................ 6
2.4 Privileged identity ................................................................................................................................................... 6
2.5 Post Breach ............................................................................................................................................................. 6
2.6 What is Endpoint Detection and Response (EDR)................................................................................................... 7
3 What is Windows Defender Advanced Threat Protection .............................................................................................. 7
3.1 Post-Breaches and Windows Defender Advanced Threat Protection .................................................................... 7
3.2 The role of Windows Defender ATP........................................................................................................................ 8
4 Advanced Attack Simulation ......................................................................................................................................... 10
4.1 Ways to Attack ...................................................................................................................................................... 10
5 Environment Setup ....................................................................................................................................................... 12
5.1 Cloud, Endpoint & Objects .................................................................................................................................... 12
5.1.1 Cloud & Endpoints ........................................................................................................................................ 12
5.1.2 Objects & Permissions .................................................................................................................................. 12
5.1.3 Network and Internet ................................................................................................................................... 12
6 Deploy Windows Defender Advanced Threat Protection ............................................................................................. 13
6.1 Windows Defender ATP Setup Process................................................................................................................. 13
6.2 Onboarding Windows 10 ...................................................................................................................................... 15
6.2.1 Requirements ................................................................................................................................................ 15
6.2.2 Local Script .................................................................................................................................................... 15
6.2.3 Configuration Manager ................................................................................................................................. 15
9 Attack Simulation Scenario ........................................................................................................................................... 17
9.1 Crafted Macro Code .............................................................................................................................................. 17
9.1.1 Run the Attack............................................................................................................................................... 17
9.1.2 Analyze the Attack ........................................................................................................................................ 17
9.2 Credential Stealing (Mimikatz) .............................................................................................................................. 22
9.2.1 Run mimikatz ................................................................................................................................................ 22
9.2.2 Analyze the Attack (Pivoting the event)........................................................................................................ 23
1 Some Thoughts & Me
When I started scribbling technical notes few years ago, on an unknown blogs called http://eshlomo.us and
http://blogs.microsoft.co.il/eshlomo9/ I have never anticipated that after few years later would have been viewed over
million times.

In the past and now I would like to thank my followers for their comments and praises. As the technology, has changed
with digital transformations, so do I and my blogs as well as the topics has changed, I try to focus the articles on what my
followers are interested in.

The following book brings with it the theory, practical and full of tips from the field that allow you deploy and work day
by day with Defender ATP.

About me. In my current position, I lead the cybersecurity in U-BTech Solution LTD that mean for performing plan,
investigating breach events, implement various security technologies. I also teach and lectures security on a weekly
basis. In the field its mean focusing on technologies, such: Defender ATP, ATA AIP, EMS, SSO etc.

In the past and sometimes even today I advise on Skype for Business, Azure and Office365.

This document is for informational purposes only. Eli Shlomo MAKES NOWARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information
and views expressed in this document, including URL and other Internet website references, may change
without notice. You bear the risk of using it.
2 Data, Post-Breaches & EDR
2.1 Data Breach
A data breach is an incident where information is stolen and taken from a company without the knowledge of the
system admin owner. Victims of data breaches can be everyone from the small companies to the large companies. The
data stolen may typically be sensitive, proprietary or confidential in nature. Damage created by such incidents often
presents itself as loss to the target company’s reputation with their customer, due to a perceived ‘betrayal of trust’. The
damage may also involve the company’s finances as well as that of their customers should financial records be part of
the information stolen.

In high level a typical data breach occurs in the following phases:

• Researcher - The attacker picked his target, looks for weaknesses that he can exploit. The target can be the end-
user, its systems or other resources on the network. This entails long hours of research on the attacker part, and
may involve stalking end-user, social networking profiles to finding what sort of infrastructure the company has.
• Attacker - Having scoped out his target weaknesses, the attacker makes initial contact through either a network-
based attack or through a social attack. In a network attack, the attacker uses the weaknesses in the target
infrastructure to get into its network. These weaknesses may include SQL injection, vulnerability exploitation,
and session hijacking, etc.
• Exfiltration – Once the attacker is inside the network, the attacker free to extract the data from the company.
This data may be used for either blackmail or black propaganda. It may also result in the attacker having enough
data for a more damaging attack on the infrastructure as well.
2.2 Kill Chain Scenario
We can take the data breach to deeper level with kill chain process, the kill chain process describes how data breach
occurs with each phase.

A Cyber Kill Chain describes the typical workflow, including techniques, tactics and procedures, that are used by
attackers to infiltrate an organization’s networks and systems. The initial attack typically includes: external
reconnaissance; use of a compromised machine; internal reconnaissance and lateral movement; domain dominance;
and data consolidation and exfiltration.

• External recon – During this stage, the attacker typically searches publicly available sources to identify as much
information as possible about their target. This will include information about the target’s IP address range,
business operations and supply chain, employees, executives, and technology utilized.
• Compromised machine – Attackers continue to use socially engineered attacks to gain an initial foothold on their
victim’s network. Why? Because these attacks, especially if targeted and based on good intelligence, have an
extremely high rate of success.
• Internal Recon and Lateral Movement – Now that the attacker has a foothold within the organization’s network,
he or she will begin gathering information not previously available externally. This will include performing host
discovery scans, mapping internal networks and systems, and attempting to mount network shares.
• Domain Dominance – At this stage, the attacker will attempt to elevate their level of access to a higher trusted
status within the network. The attacker’s goal is to access your data and the privileged credentials of a domain
administrator offers them many ways to access to your valuable data stores.
• Data Consolidation and Exfiltration – Now that the attacker has access to the valuable data within the
organization’s systems, he or she must consolidate it, package it up, and send it out of the network without
being detected or blocked.
2.3 Cyber Attack Phases
Advanced cyber-attacks can now nest inside a network for more than 200 days on average before being discovered.

As with any ambitious endeavor, a successful cyber-attack requires careful planning and precise execution. One thing
that effective hacks have in common is the ability to remain covert – right up until the moment that the time is right and
the attackers strike. While the precise methods of attacks vary, they’re usually implemented using a series of similar
steps.

When attackers breach a network to steal data & confidential information, they usually follow a similar approach. this
approach defining 10 distinct steps attackers tend to follow in each breach. These include:

1. Gaining entry, generally through a spear phishing attack.

2. Installing custom malware.
3. Establishing command and control channels and downloading additional malware.
4. Creating additional backdoors to maintain access.
5. Obtaining account names and passwords from the domain controller.
6. Cracking the passwords to access legitimate user accounts.
7. Performing reconnaissance and gathering additional data.
8. Sending data to a staging server.
9. Exfiltration data from the staging server.
10. Covering up evidence of the attack.

2.4 Privileged identity

Almost every network is vulnerable to cyber-attack. 97% of organizations have already been breached at least once and
perimeter security tools, like next generation firewalls, offer little real protection against advanced, targeted attacks.

The key to blocking a cyber attack is controlling privileged access. Each step beyond number three in the process
described above requires privileged credentials to succeed.

Privileged identity management can automatically discover privileged accounts throughout the network, bring those
accounts under management, and audit access to them. Each privileged credential is updated continuously. This negates
the damage inflicted by advanced cyber-attacks, because even if an intruder compromises a credential, it cannot be
leveraged to leapfrog between systems and extract data.

If you can control privileged access, a cyber attack can be significantly mitigated. Otherwise, study the damage done to
Target, Sony Pictures and others – and prepare your crisis management team accordingly.

2.5 Post Breach

what is the difference between data Breach and post Breach?

Post Breach describes the last stage in the process of organizational computing breakthrough, the stage where the
attacker takes data out of the organization, traveling between the organization's sensitive information and attempts to
reach other enterprise systems such as Active directory.

In cases where the attacker could pass all the protection systems, the only way for to identify the actions he performs
are by System such: Post Breach.
2.6 What is Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) is an emerging technology. The term defines a category of tools and solutions
that focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints. Originally
dubbed Endpoint Threat Detection and Response (ETDR), the term is now more commonly referred to as Endpoint
Detection and Response (EDR).

Advanced persistent threats and customized targeted malware attack toolkits are intentionally bypassing traditional
signature-based antivirus solutions. Endpoint detection and response solutions supplement traditional signature-based
technologies for richer behavior-based anomaly detection and visibility across endpoints.

Endpoint detection and response tools offer greater visibility into endpoint data that’s relevant for detecting and
mitigating advanced threats, limiting sensitive data loss, and reducing the risk of devastating data breaches occurring on
endpoints. Endpoint detection and response tools are complimentary to a variety of other security measures and
solutions as well, including data loss prevention (DLP) solutions, security information and event management (SIEM),
network forensics tools (NFT), and advanced threat defense (ATD) appliances.

3 What is Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a new service that helps our enterprise customers to detect,
investigate, and respond to advanced and targeted attacks on their networks.

Windows 10 is the most secure enterprise platform today, but cyberattacks are getting more sophisticated as they are
using social engineering, zero-day vulnerabilities, or even misconfiguration to break into corporate networks. Thousands
of such attacks were reported in 2015 alone.

3.1 Post-Breaches and Windows Defender Advanced Threat Protection

Today we live in a world where we need to assume that breaches are inevitable, and we need to be able to quickly
detect and respond to them to lessen their impact. Microsoft developed Windows Defender Advanced Threat Protection
(ATP), a cloud-based service, that uses the power of machine learning, big data, and security analytics to help us, and
our enterprise customers, detect, investigate, and respond to advanced and targeted attacks on our networks.

We enabled Windows Defender ATP, built into the release of Windows 10 Anniversary Update, to help us improve
endpoint visibility and threat detection against ever increasingly sophisticated attacks. It has improved our ability to
respond without the need to build costly, on-premises solutions. We’ve quickly realized many benefits in adopting
Windows Defender ATP and its cloud-based security services. These benefits include:

• It’s easy to deploy and manage - Windows Defender ATP uses a built-in agent in Windows 10 that makes it easy
to onboard employee devices, or endpoints; it required no on-premises infrastructure.
• It has improved connectivity. Windows Defender ATP is an always-on service for our always connected devices.
• It’s scalable -We’ve onboarded data from more than 500,000 devices, and the Windows Defender ATP service
grows as our needs grow.
• It gives us precision alerting. Windows Defender ATP provides intelligent, actionable alerts fueled by Microsoft
security experts.
• It gives us the ability to perform faster triage - Windows Defender ATP enables rapid host triage and provides
deep event timeline for investigations.
• It’s more efficient - Windows Defender ATP enables focused response and enterprise threat containment.
3.2 The role of Windows Defender ATP
Windows Defender ATP focuses on sophisticated cyberattacks that originate from advanced adversaries. When a breach
is detected, Windows Defender ATP provides a level of insight that we didn’t have before. We have visibility into the
breach, detailed information about the scope of the breach, and correlative information that can help us identify what
kind of advanced attack it is, and how it will behave. That additional insight helps us quickly determine the best way to
respond to new and increasingly advanced threats.

There are several technologies built into and for Windows that “harden” features and provide device identity and
information protection, and some level of threat resistance. Windows Defender or other traditional antivirus, works to
provide additional threat resistance by recognizing most incoming threats. Windows Defender ATP was designed to
work with those technologies, not replace them. Windows Defender helps prevent threats; Windows Defender ATP
monitors the environment, and looks for anomalous behavior that points to a breach. It provides better visibility to
advanced threats to our network enterprise and known attacker behaviors. With Windows Defender ATP, we can use
analytics and machine learning generated through alerts to identify possible security breaches in context.

Post-breach detection of active attacks: ATP provides actionable, correlated, real-time and historical detections of both
known and currently unknown adversaries, based on extensive behavioral security analytics that hunt for a never-
before-seen attacker hiding in the noise, and deep intelligence understanding of attackers and their tools and
techniques (Threat Intel).

Windows Defender Advanced Threat Protection is a new service that helps our enterprise customers to detect,
investigate, and respond to advanced and targeted attacks on their networks.

Windows 10 is the most secure enterprise platform today, but cyberattacks are getting more sophisticated as they are
using social engineering, zero-day vulnerabilities, or even misconfiguration to break into corporate networks. Thousands
of such attacks were reported in 2015 alone.

Building on the existing pre-breach security defenses built into Windows 10, we have released a new service, Windows
Defender Advanced Threat Protection (ATP), which provides a post-breach layer of protection

Windows Defender Advanced Threat Protection is a security service that enables enterprise customers to detect,
investigate, and respond to advanced threats on their networks.

Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust
cloud service:

• Endpoint behavioral sensors - Embedded in Windows 10, these sensors collect and process behavioral signals
from the operating system, such as process, registry, file, network communications etc. and sends this sensor
data to your private, isolated, cloud instance of Windows Defender ATP.
 • Cloud security analytics - Leveraging big-data, machine-learning, and unique Microsoft optics across the
Windows ecosystem such as the Microsoft Malicious Software Removal Tool, enterprise cloud products, and
online assets, behavioral signals are translated into insights, detections, and recommended responses to
advanced threats.

• Threat intelligence - Generated by Microsoft hunters, security teams, and augmented by threat intelligence
provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques,
and procedures, and generate alerts when these are observed in collected sensor data.

The following diagram shows these Windows Defender ATP service components:

Endpoint investigation capabilities in this service let you drill down into security alerts and understand the scope and
nature of a potential breach. You can submit files for deep analysis and receive the results without leaving the Windows
Defender ATP portal.

Windows Defender ATP works with existing Windows security technologies on endpoints, such as Windows Defender,
AppLocker, and Device Guard. It can also work side-by-side with third-party security solutions and antimalware
products.
4 Advanced Attack Simulation
The common approach offered by a standard penetration test just won’t deliver results in these well defended
organizations. Commodity vulnerability assessment tools or off-the-shelf attacks and exploits, are just not going to be
effective. Success requires an advanced attack, as they are protected against any common approach that would
normally be conducted. A penetration test over a two-to-three-week period does not adequately allow for this to occur.
On the other hand, the cost of conducting a multi-month focused assessment isn’t part of many organizations budgets.
This is where Offensive Security shines.

A real attacker is not subject to an artificial time limitation when it comes to building an effective assault against your
organization. Obviously, an unlimited timetable is not something that is realistic as a service, but we have found
effective methods of shortcutting this process.

It’s a given that custom attacks are required in this sort of protected environment, and the most important ingredient
for building a custom attack is information. Paying an assessment team to collect information that you are already in
possession of is neither efficient nor cost effective. We bypass this by sitting down with your team and have you teach
us about your company and systems. As you are the most knowledgeable party on the subject, we depend on your
expertise to walk us through your environment in an interactive manner.

This process alone can save you months of effort and cost.

Using the information that we are provided, we go back to our labs to create a simulation of the target environment,
modeling potential attack points that we have identified. We spend a period developing custom attacks that are
modeled to be specific against your organization. The unique combination of software in use and the work-flow that is
put in place always creates targets of opportunity that are overlooked or not practical to attack using traditional
methods.

After we have a series of attacks constructed we start the active phase of the assessment. Here we put the new attacks
to work, modifying them where needed based on differences encountered in the real world compared to the labs. At
this point, Offensive Security can actively simulate a determined attacker that has specifically targeted your organization
in a manner that would not otherwise be possible without spending many months on the project.

4.1 Types of Attacks

There are many ways an attacker can gain access to the endpoint or even gain access to the Active Directory from this
attack. This guide describes some of the more popular ones in current use. The techniques described here several
breaches where an attacker already has a foothold on an internal system and has gained access to user credentials.

The unfortunate reality for most enterprises, is that it often does not take long from an attacker to go from domain user
to domain admin. The question on defenders’ minds is “how does this happen?”.

The attack frequently starts with a spear-phishing email to one or more users enabling the attacker to get their code
running on a computer inside the target network. Once the attacker has their code running inside the enterprise, the
first step is performing reconnaissance to discover useful resources to escalate permissions, persist, and of course,
plunder information (often the “crown jewels” of an organization).

While the overall process detail varies, the overall theme remains:

• Malware Injection (Spear-Phish, Web Exploits, etc.)

• Reconnaissance (Internal)
• Credential Theft
• Exploitation & Privilege Escalation
• Data Access & Exfiltration
• Persistence (retaining access)
We start with the attacker having a foothold inside the enterprise, since this is often not difficult in modern networks.
Furthermore, it is also typically not difficult for the attacker to escalate from having user rights on the machine to having
local administrator rights. This escalation can occur by either exploiting an unpatched privilege escalation vulnerability
on the system or more frequently, finding local admin passwords in SYSVOL, such as Group Policy Preferences
5 Environment Setup
5.1 Cloud, Endpoint & Objects
The Windows Defender ATP environment is built on the Cloud and the Endpoint is connecting to this service. To
configure and manage Defender ATP we must to have the following requirements.

5.1.1 Cloud & Endpoints

Resource Operating System Note
Tenant with Defender ATP ------------------------------------------------------ Based on Cloud
WDATP -DC01 Windows Server 2012 R2 -----------
WDATP -PC01 (Victim) Windows 10, version 1607 -----------
WDATP -PC01 (Victim) Windows 10, version 1607 -----------

5.1.2 Objects & Permissions

Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users
with one of the following levels of permissions:

• Full access - Users with full access can log in, view all system information and resolve alerts, submit files for deep
analysis, and download the onboarding package. Assigning full access rights requires adding the users to the
“Security Administrator” or “Global Administrator” AAD built-in roles.
• Read only access - Users with read only access can log in, view all alerts, and related information. They will not
be able to change alert states, submit files for deep analysis or perform any state changing operations. Assigning
read only access rights requires adding the users to the “Security Reader” AAD built-in role.

5.1.3 Network and Internet

• Internet connectivity on endpoints is required
• Telemetry must be enabled
• Diagnostics service must be enabled
• If there a Proxy, it must be configured

*SENSE (behavioral sensor) can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP
cloud service and report cyber data.

Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from
them. There are various methods and deployment tools that you can use to configure the endpoints in your
organization.
6 Deploy Windows Defender Advanced Threat Protection
6.1 Windows Defender ATP Setup Process
The process of activation and configure Windows Defender Advanced Threat Protection in the cloud is very short, simple
and take less than half an hour including the first registration.

Some highlights must pay attention to only the initial definition, after the initial setup is not possible to make changes to
these settings. These settings are TENANT level.

Once you got the activation email you can add it to your existing tenant or to sign-up with a new one.
(In this scenario, we’re adding to existing tenant)

Note: make sure, when the storage location will be

saved
Once completing the activation process, we can connect endpoints to the Defender ATP with onboarding process.
Onboard endpoints in your organization to Windows Defender ATP by downloading the following onboarding
configuration package available for a range of deployment tools.

You can select the relevant onboard process for your organization that include SCCM, Intune and local script. Once you
completing the onboard process from the machine we can start with the simulation attack.

6.2 Onboarding Windows 10

6.2.1 Requirements
Before you can go ahead and enable the support for managing Windows Defender ATP policies for Windows 10 devices
with Configuration Manager, you’ll need to have the following requirements fulfilled:

• Configuration Manager 1606 installed and the Windows Defender ATP feature enabled
• Windows 10 devices running version 1607 or later

6.2.2 Local Script

Windows 10 devices requires an onboarding package for deploying Windows Defender ATP configuration settings. This
package is created in the Windows Defender ATP portal, and is later referenced in the policy deployed through
Configuration Manager to your endpoints (also referenced as you Windows 10 devices).

1. Log in to the Windows Defender ATP portal.

2. From the portal choose Endpoint Management, select System Center Configuration Manager (current branch) version
1606 or later and select Download package.
3. The WindowsDefenderATPOnboardingPackage.zip file download should now begin.
4. Extract the WindowsDefenderATP.onboarding file from the ZIP-file and save it on your Primary Site server in a suitable
location.

6.2.3 Configuration Manager

With the onboarding package downloaded and extracted, we can go ahead and create a Windows Defender ATP Policy
in Configuration Manager, referencing this onboarding package and deploy it to our suitable Windows 10 devices.

7 Configure endpoints using Configuration Manager

The first configuration method that I would like to show is using Configuration Manager, by creating and deploying
a Windows Defender ATP Policy. By adding and deploying a client onboarding configuration file, via the Windows
Defender ATP Policy, Configuration Manager can monitor the deployment status and the Defender ATP agent health.
Windows Defender ATP is only supported on Windows 10 devices, version 1607 and later, running the Configuration
Manager client. On-premises mobile device management and Microsoft Intune hybrid MDM-managed computers are
not supported. The following 7 steps show how to create the Windows Defender ATP Policy. After that, simply deploy
the created policy.

1 Open the Configuration Manager administration console and navigate to Assets and
Compliance> Overview > Endpoint Protection > Windows Defender ATP Policies

2 On the Home tab, in the Create group, click Create Windows Defender ATP Policy to open the Create Windows
Defender ATP Policy Wizard;
 3 On the General page, provide the following information and click Next;

• Name: Provide a unique name for the Windows Defender ATP policy;

• Description: (Optional) Provide a description about the Windows Defender ATP policy;

• Select Onboarding – Add devices to the online service and start sending threat data for analysis.

4 On the Configuration File page, browse to the WindowsDefenderATP.onboarding file that is available in the
downloaded WindowsDefenderATPOnboardingPackage.zip file and click Next;

5 On the Agent Configuration page, select, depending on the requirements, None or All the file types and click Next

6 On the Summary page, click Next;

7 On the Completion page, click Close.

8 Configure endpoints using Microsoft Intune

The second configuration method that I would like to show is using Microsoft Intune hybrid and Microsoft Intune
standalone, Windows Defender ATP supports Microsoft Intune by providing OMA-URI settings to create policies to
manage endpoints. To achieve this the following OMA-URI configuration can be used:

• OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding

• Date type: String

• Value: [Content of the WindowsDefenderATP.onboarding file that is available in the

downloaded WindowsDefenderATPOnboardingPackage.zip file]

Just to make sure that it’s absolutely clear, the value, of the OMA-URI configuration, is literally a copy-paste action of the
content available in the WindowsDefenderATP.onboarding file. This information can be used in Microsoft Intune hybrid
and Microsoft Intune standalone, by using the configuration guidelines shown below.
9 Attack Simulation Scenario
In our labs, we simulating few advanced attacks on each endpoint to receive alert, notification and reports on the
Defender ATP Portal. There’s many tools that we can use in the labs but we’re taking just few of those tools. The tools
we use them in the lab are:

• Crafted Macro Code: AttackSimulationDIYv2

• Mimikatz: https://github.com/gentilkiwi/mimikatz
• PowerSploit: https://github.com/PowerShellMafia/PowerSploit

9.1 Crafted Macro Code

(Based on Microsoft DIY simulation)

Our sample scenario starts with a Word document. Typically, this document (or a link to it) would be sent via email to
someone in your organization. Careful social engineering would have been used to ensure the receiver doesn’t suspect a
thing and unwittingly opens the document. The document, however, is weaponized with crafted macro code which
silently drops a malicious executable file onto the machine (Note: We use a benign executable file in our simulation.)
The executable is a backdoor file that attains persistence on the machine, and will go on to open a remote shell
communication to the attacker, and enabling them to run commands on the victim’s machine. On the Creators Update,
the backdoor proceeds to gain control of one of the system processes and inject their malicious code into it, so they can
stay in memory and remain undetected in preparation to collect and exfiltrate data to their command and control
server.

9.1.1 Run the Attack

To run the attack scenario, follow these steps:

• Download and open the WinATP-Intro-Invoice.doc from this location

• Double-click WinATP- Intro-Invoice.doc to open the Microsoft Office Word document
• The document is password protected, type the password that you got
• Click Enable Content if the document opens in Protected mode
• Click Enable Macros in the yellow notification at the top of the opened document
• Click OK on the message box to confirm running the attack simulation

Note:
After that a new file is dropped on the machine’s desktop WinATP-Intro-Backdoorexe.jpg. This file uses the right-to-left-
override technique to make it look like it’s a .jpg picture

The backdoor runs and registers itself for auto-start by writing to the registry ASEP run key. This results in the backdoor
being run automatically after a machine reboot, ensuring the attacker can retain control of the machine for the long run.

Finally, if you are running on a Creators Update build, the backdoor will proceed to start a trusted system process, in this
case RuntimeBroker.exe, and inject malicious shellcode into it so it can continue to operate in this process’s memory
while remaining hidden

9.1.2 Analyze the Attack

After an attack has run you can see on the main dashboard the latest active alerts. For these attack the alerts will be
alerts such:

• An Office application ran suspicious commands

• Right-to-Left-Override (RLO) technique observed
• A process exhibiting suspicious behaviors was observed
 • An uncommon file was created and added to a Run Key
• PowerShell dropped a suspicious file on the machine

Because of the type of attack we received a few warnings about each action that was made by the attackers, each action
is described in details. But when we’ve so many alerts how do I know which one is the first and which machine is
affected? When selecting one of the alerts and selecting Alert Process Tree the Alert Process Tree provide information
which described how the attack is processed and which action was made. In our scenario it was WinATP-Intro-
Backdoorexe, once selecting the WinATP-Intro-Backdoorexe the File view provide detailed information about the file,
machine infected, alerts related to this file, malware detection, prevalence worldwide, file in organization and Deep
analysis information.

9.1.2.1 A quick way to analyze the attack

Select the latest alert
Select Alert Process Tree

From Alert Process Tree select one of the Alert evidence (in our scenario is WinATP-Intro-Backdoorexe) and then we get
information about the File.

The File view provide detailed and related information for this attack with the following:

Alert related to this machine – all alerts including actions, machine, severity and status for this alerts.
 Deep analysis – provide information for each process that run on the machine and related to this file, target in regedit,
contacted ip’s and dropped files in local folders.

SO after all when first action was made? In the Alert process tree view the first action is A process exhibiting suspicious
behaviors was observed so we chose this action and get another information about this specific action.
Once we get another information about this action we can receive information with Incident graph and know which
machines has affected with these attack.
9.2 Credential Stealing (Mimikatz)
Mimikatz is one of the best tools to gather credential data from Windows systems. In fact, you can steal Windows
password in few minutes. The Mimikatz tool enumerating password from memory or from dump files. To run mimikatz
you'll need mimikatz.exe on the system you're targeting. Once you launch mimikatz from the command line you'll be
provided with an interactive prompt that will allow you to perform several different commands, such:

• privilege::debug
• inject::process lsass.exe sekurlsa.dll
• @getLogonPasswords

To run the attack scenario, follow these steps:

• Run Mimikatz on lab machines

• Make sure that you’re viewing the password
• Analyze the attack

9.2.1 Run mimikatz

• Download Mimikatz, extract and open (make sure to download the latest release)
• From elevated command run the following command:

.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > c:\temp\pass.txt

9.2.2 Analyze the Attack (Pivoting the event)
After running the mimikatz tool, go to the admin portal at https://securitycenter.windows.com/, from the management
interface, we'll begin analyzing the alerts and the action we've taken.

On the main dashboard, you can see all alerts, users at risk, active computers, attack alert and more.

• In the latest active alerts > choose the alerts (Hacktool Mimikatz detected)

In the next window, we will be able to see the information about the alert by different characteristics, so that the event
can be analyzed.

• General Information
• Alert process tree
• Recommended actions
• Incident Graph
• Alert timeline

In General Information, we receive the following information, such: recommended actions, an alert process tree, an
incident graph, and an alert timeline is shown.
The Incident Graph show information about machine, files and another exe that related to this alert and this action. This
view provides correlation data between all action that made with mimikatz from all machine in organization and the file
that was initiated. We can choose machine or file to view the correlation between them and how the belong to this
attack.

• From the incident graph > choose the

machine (wdatp-pc01)

Once choosing the machine we get information such: machine, logged on users, alerts, the first-time action was made
and timeline.

• In the Alerts related to this machine Choose the Hacktool Mimikatz detected activity
• Once choosing the activity alert we can selectively drill down into events that occurred within a given time.
Note: The Machine timeline section provides a chronological view of the events, actions and associated alerts that
belong to this machine, such: the order in which the attack was carried out.

• Once choosing the specific event we can show the actions that was made in the specific event.

Note: You can view the temporal sequence of events that occurred on a machine over a specified period.

• Once we know where the attack began we can receive more information about the attack after selecting the circle
of the action. From this view, you can tell when the action first wanted, what the rating of the attack and the file and
data about the file.
• Then go back to the Incident Graph and choose the file (the mimikatz.exe)

Note: with file, we can receive the information that including:

File details, Malware detection, Prevalence worldwide

Deep analysis
Alerts related to this file
File in organization
Most recent observed machines with file

• From this console choose Deep analysis > choose Submit and wait few minutes
Once the submit was done the information include the following details:

Communication
Environment Awareness
Interaction with System Processes
Miscellaneous
Contacted IPs

Conclusion

From the Windows Defender Security Center dashboard, we know which attack was made, which machine were
involved, what operations were performed on the same machine, to which information the files were accessed and the
risk of attack.

The dashboard allows us to investigate the specific action and know who is the attackers and from they attack our
company.