In this blog post, I will show you how we can use Defender for Endpoint (MDE) to investigate and create detection rules for new vulnerabilities and techniques. MDE is a powerful tool that provides endpoint detection and response (EDR) capabilities, as well as threat and vulnerability management (TVM) features. With MDE, you can:
- Monitor and analyze the behavior of processes, files, network connections and registry changes on your endpoints.
- Detect and respond to advanced attacks using built-in or custom detection rules, alerts and automated actions.
- Assess and remediate the exposure and risk of your endpoints to known vulnerabilities and misconfigurations.
- Discover and prioritize the most important threats and vulnerabilities in your environment using Microsoft Threat & Vulnerability Management (MTVM).
To demonstrate how we can use MDE to verify vulnerabilities and not just trust what is written on the internet, I will use a example of a vulnerability that was disclosed by Google Project Zero. This vulnerability, CVE-2021-24093, is a remote code execution (RCE) vulnerability in Windows TCP/IP stack that can be exploited by sending specially crafted IPv6 packets to a target system. According to the Project Zero blog post, this vulnerability can be used to compromise a system without any user interaction or authentication.
However, before we jump to conclusions and assume that our systems are vulnerable or compromised, we need to verify this vulnerability on our own test platform with our own configuration and detection tools. Here are the steps that we can follow:
1. Set up a test environment with two Windows 10 machines, one as the attacker and one as the victim. Make sure that both machines have IPv6 enabled and are on the same network segment.
2. Install MDE on both machines and enroll them to the same tenant. Make sure that both machines have the latest security updates installed, except for the one that patches CVE-2021-24093 (KB5001028).
3. On the attacker machine, download and compile the proof-of-concept (PoC) code from Project Zero's GitHub repository. You will need Visual Studio 2019 and Windows SDK 10.0.19041.0 to do this.
4. On the victim machine, open MDE portal and go to Assets > Devices. Select the victim machine and click on Device timeline. This will show you all the events and activities that occurred on the machine in chronological order.
5. On the attacker machine, run the PoC code with the IP address of the victim machine as an argument. For example: `CVE-2021-24093.exe fe80::a4a1:51ff:fe59:4d61`.
6. On the victim machine, observe the device timeline in MDE portal. You should see an alert with the title "Suspicious IPv6 packet causes BSOD" with a severity of High. This alert indicates that MDE detected an attempt to exploit CVE-2021-24093 on the machine and triggered a blue screen of death (BSOD) to prevent further damage.
7. Click on the alert to see more details. You should see information such as the alert ID, description, device name, IP address, OS version, alert time, detection source, evidence and recommended actions.
8. Click on View full details to see even more details about the alert. You should see a graphical representation of the attack chain, as well as a list of related alerts, incidents, devices, users and files.
9. Click on Investigation > Start investigation to launch an automated investigation of the alert. This will run a series of queries and actions to collect more evidence and remediate any malicious activity on the device.
By following these steps, we have verified that CVE-2021-24093 is indeed a valid vulnerability that can be exploited in our environment by sending specially crafted IPv6 packets to a target system. We have also used MDE to investigate and create detection rules for this vulnerability.
However, this does not mean that we should stop here and ignore what is written on the internet. On the contrary, we should always keep ourselves updated with the latest security news and research, and use them as sources of inspiration and guidance. But we should also verify them on our own test platforms with our own configuration and detection tools, and not just trust them blindly. This way, we can ensure that we have a more accurate and comprehensive understanding of the threats and vulnerabilities that affect our systems,this is particularly important for internet-exposed services, and that we can respond to them effectively and efficiently