Dent: creating COM-based bypasses utilizing vulnerabilities in Microsoft’s WDAPT sensors

Dent

This framework generates code to exploit vulnerabilities in Microsoft Defender Advanced Threat Protection’s Attack Surface Reduction (ASR) rules to execute shellcode without being detected or prevented. ASR was designed to be the first line of defense, detecting events based on actions that violate a set of rules. These rules focus on specific behavior indicators on the endpoint that are often associated with an attacker’s Tactics, Techniques, or Procedures (TTPs). These rules have a heavy focus on the Microsoft Office suite, as this is a common attack vector for establishing a remote foothold on an endpoint. A lot of the rule-based controls focus on network-based or process-based behavior indicators that stand out from the normal business operation. These rules focus on either the initial compromise of a system or a technique that can severely impact an organization (e.g., disclosure of credentials or ransomware). They cover a large amount of the common attack surface and focus on hampering known techniques used to compromise assets.

Dent takes advantage of several vulnerabilities to bypass these restrictive controls to execute payloads on an endpoint without being blocked or effectively detected by Microsoft Defender Advanced Threat Protection sensors. The article above outlines this vulnerability that is STILL present in Microsoft Defender Advanced Threat Protection even after disclosure.

Weaponizing

This framework is intended for exploiting vulnerabilities and deficiencies in Microsoft Defender Advanced Threat Protection, because of that it does not actually generate any payloads/implants. In order to generate those, you can use a large number of tools publicly available, however, all research, development, and testing were done using ScareCrow. Microsoft Defender Advanced Threat Protection doesn’t rely on userland hooking for telemetry rather it utilized various other mechanisms such as kernel callbacks. From testing, this framework works extremely well at bypassing Microsoft Defender Advanced Threat Protection to execute shellcode.

Install

git clone https://github.com/optiv/Dent.git
cd Dent
go build Dent.go

Use

Tutorial

Copyright (c) 2021 Optiv Security