Articles, Blog

Real tales of cyberattacks and the defenses in Windows 10 to stop them

November 17, 2019

[Music] Hello and welcome to Microsoft Mechanics
live coming up we’re gonna explore three real-world and recent attacks in detail
and how they worked on in the platform defenses in Windows 10 to both block and
mitigate against them from containing spear phishing attacks to defeating and
targeting intrusions using macros and investigating possible breaches and
containing those we’re also going to look at new new approaches for
virtualization-based security to isolate malicious code credentials then go to
user mode and also code integrity policies and more and we’re gonna show
new forensics tools to be able to investigate contain and fix things
that might come in post breach and to do that I’m joined by the man David Weston
hello everyone give him a round of applause. Thank you thanks for having me
on the show. He’s from the Windows security team doing all of the forensics
and things to actually look at malware as it comes in so your team’s actually
responsible for the Rd of the tools to protect but you’ve got to be very close
and uptight with all of these malicious kind of a piece of software coming in
and things like wannacrypt we’ve seen ransomware notpetya, wannacrypt and
other things recently it’s becoming like a household set of names of technology
that from you know even when I go and visit people relatives you know in the
holidays where they don’t even know anything about computers or how to turn
them on they’re talking about wannacry and these types of things so it’s a
whole different world now let’s dive into a few real attacks though in the
defenses that we have in Windows tend to be able to stop them all right to make
things a little bit real I thought today that I would show you what ransomware
looks like in practice how many of you have run into a ransomware attack
previously all right so some folks unfortunately familiar with it so what
I’m gonna show you is a machine very much probably like your own with a few
sensitive documents we’ve got an immigration form here we’ve got some
taxes an important presentation and of course we’ve got wedding and baby photos
the kinds of things we don’t want to have encrypted or stolen from us
unfortunately we’ve got an email about a payment past due of course we’re all
responsible financial citizens so we want to understand hey what’s going on
with this so we click the link in email that launches a URL this URL asked us to
open a document hopefully to describing what’s going on with the
payment situation oh look I can’t actually see it unless I enable editing
that’s what the documents tell him just to pause you here for a sec and
being being in marketing and coming from Windows you can’t even tell by the
branding in the Office logo and all this old stuff from Office 2007 these are usually kind of
telltale signs that something bad is gonna happen here right absolutely and
there’ll be sometimes you know a bad grammar maybe an off image those are
actually pretty good indicators that something’s amiss right so so what are
we gonna do we’re gonna use some some isolation or something to be able to
prevent this from happening in the real it kind of in a Windows 10 system so the
first thing I’m gonna show you is what it actually looks like so you can see
here macros are disabled which is a good thing with the document is saying you
can’t view me unless you enable it so I’ll go ahead and do that and just to
make it real what’s going on there you can see if you sort of zoom in there
that there’s a executable called bad running now if we wait just a few
seconds what we’re likely to see is our precious documents our photos and a few
other things and you can see it’s sort of chunking along it’s reading Defender
and other AV is starting to pop up now now I’ve purposely disabled some of that
stuff but you can see right away the server ransomware is actually asking us
to go and purchase some Bitcoins in order to pay the ransom here it’s asking
us to get the tor browser and get on the anonymous part of the network to pay
this actually they’re probably our most robust piece of documentation is how to
pay they never sort of missed that and you can see all of our our documents now
are renamed and encrypted so pretty bad day now so what we’re gonna do then to
stop something like this so you’ve got this luckily in a very isolated virtual
machine that can’t infect your host I do how do you protect this from running on
another machine so one of the things we did in the latest Fall Creators Update
edition of Windows 10 is we introduced a new feature that we call Exploit Guard
and Exploit Guard has several powerful features for preventing ransomware
one of the features in particular allows you to say I’m okay with opening remark
oh maybe I need one for work maybe I need one for a financial application but
I don’t want those two macros to in code create processes write processes on
to the machine so what we’re gonna do here is very simply and of course this
is all available through SCCM and MDM and other tool sets is we’re gonna add a
couple of these rules and if the the demo gods comply we’re going to be able
to set those rules we’re gonna run the exact same macro and we should see a
block message this is like in a previous checkpoint now running the same code
that’s right but with the with the rights configurations applied that’s
right so something funky going on with over my PowerShell so i’m gonna relaunch
this at admin again these are the same kinds of rules that would be available
to your management system i’m just gonna type them in here for ease of use so
we’ll go ahead and type the clipboard in there and we’ll add the first rule this
first rule saying no macro should be able to create executables i’ll run that
one more time and the second one is saying no code injection from a macro so
again we’ll have the clipboard type that in and we’ll run that now we’ll run the
exact same demonstration now I will see if everything works out so this time
we’ll go again and click that attachment again of course it’s asking us to run
the document so okay so we got content what happens and bam there you go action
is blocked alright that’s pretty cool this is a
great feature of course I’m gonna show you in just a minute what that looks
like to investigate something like that but you get auditing rules you get that
information so it’s pretty great and again you could have used a group policy
object you could have used CSP and MDM all right different things to enforce
that rule set absolutely okay so we’ve done some some cool things in terms of
preventing the code from running in the primary user session user mode and we
can do more of that in terms of probably basically isolating where browsers run
as well because a lot of that a lot of the threats that we’re seeing are coming
in by the browser can you show us another real-world example of one of
those types of attacks aleut Lee so what you see on the side here this this black
command terminal is actually Metasploit which is a common attack tool that
people use to audit their networks so I’m going to simulate
being both the victim and the attacker in this situation so what I’m gonna do
is I’m gonna run my exploit this is gonna give me interactive control of
anybody that clicks a link this is actually a similar simulated zero-day so
what will happen is if everything goes well when the exploit runs we’ll get a
call back it’ll say you now have control of the machine and we can do things like
dump credentials pass the hash take screenshots etc but I think there’s a
surprise in store for the attacker so we’ll run that so what I’m gonna go
ahead and do here is now actually run the exploit the exploit setup it’s now
waiting for everything on the VM here which is our simulated victim
environment what’s actually being run is a future feature that we’re releasing in
the fall creators update and it’s a version of Microsoft Edge that’s
contained in a very tiny hypervisor if you’re not familiar with hypervisors the
way you can think about is we took the entire operating system and we squeezed
it down into an 18 megabyte image and we tailored it specifically for Microsoft
Edge and what that means is no matter what happens to the browser excuse me
hmm it’s actually contained against the
hypervisor so if an attacker gets into your browser
they can’t tamper credentials credentials access your documents do any
encryption and what I’m going to simulate here is a real-world attack
that many sort of potentially state-sponsored or targeted attack
groups would perform which is sending you a an unassuming link that you click
that redirects you to a site containing a zero-day exploit okay let’s simulate
that here so we’ve received again a link here that says click the price to redeem
we’re gonna go ahead and click that it’s going to launch in the container that
looks pretty bad and what you’re seeing on the left-hand side here is we got an
immediate callback so a zero-day exploits been successful this is both a
zero-day exploit in the browser and even a kernel exploit so full control of a
standard host at this point but because we’re in the isolated environment let’s
see what the attacker can actually do so give it a second now we’ll interact with
our session so again this is a interactive session with the container
so we can say if we call get UID we’re actually NT system so we got full
control this pretty scary that’s pretty scary scarier in that photo so let’s go
and see what kind of data might exist on this machine so we’ll change directory
into users will hit dir interesting thing here is even though this looks and
feels like my browser I’m actually running in a separate environment so the
attacker is gonna bum out container user container administrator
those are credentials and accounts that only live in this virtual disposable
world and as soon as I close the closes browser that half-a-million-dollar
exploit is gone so let’s try to run me cats how many you’re familiar with me me
cats the credential theft tool I see a few folks out there so we’ll run the
classic me me cats we want to steal credentials let’s see what that looks
like so we’ll say help here and we can see there’s a bunch of commands we can
run so let’s still a Kerberos cred so if we run Kerberos we’re actually dumping
memory unfortunately for the attacker all they’re seeing is again container
accounts so we have application guard utility account container administrator
etc etc so what we have here is really the type of exploit that would have in
previous generations of isolation compromised the entire machine it was
something that might go for half a million dollars on the open you know
sort of black market here and we’ve stopped it by simply running things in a
virtualized how about that so the really great thing is we’re using isolation
effectively and we’re using kind of containerization technologies to some
extent like we saw there but we’re also using isolation on the flip side in
terms of doing things like code integrity policies Credential Guard
keeping credentials out of main user mode and observe I scarred all those
types of things all the guards going into an isolated virtualization-based
security environment that way it’s not talking to the main user mode and not
being able to kind of impact the code that’s running steal the credentials or
in this case exploit the browser because the browser in this case is in another
separate container absolutely completely isolated from user mode so I know that
sometimes though things do make it through and we like to live in this this
kind of post breach world post breach mentality absolute what do we do if
something comes in and actually is is successful and breaches our environment
how do we detect that and what are the tools available for us there so Windows
takes an assumed breach security philosophy which I think
a very modern approach given the type of sophistication of threats out there so
we built Windows 10 from the ground up to have sensors inside of the operating
system fabric that give us all the information we knew need to detect
diagnose and now with the hexa tight integration that you’ve talked about
this week automatically respond and cleaned up those threads so what I’m
actually going to show you here is a repeat of the two attacks you previously
saw but what they look like from an ATP perspective so let’s start with the
macro attack what we can see here by simply filtering the exploit guard
events and this is information coming off of that victim machine we can
actually see x-blade guard blocked creating the child process bad.exe if we
click on bad.exe we can get a perspective on how malicious this is virus total
says 55 of the world’s antivirus engines think this is bad so probably a bad file
we can see Defender AV has recognized it accurately as server and we can also do
things like say stop and quarantine this file if we’d like to pull it into the
cloud to do further analysis we can hit the submit button here we can also see
does it exist anywhere else in my enterprise where I have Defender ATP
deployed and of course we can also in the forthcoming versions automatically
set the system up to respond and clean up those ransomware threats before they
become a problem very cool so one thing to point out here and I’m not sure if
this is something that’s you know we’re kind of seeing things that you can see
you through the demos but you couldn’t actually just bolt on some of this
technology even if you’re using a hypervisor you’ve got something else
running there’s no way to kind of do those platform specific changes that
we’ve made where you’ve got credentials code integrity or you’ve got other apps
running in an isolated container environment these are all Windows 10
fundamental things you just couldn’t bolt on right that’s right I think one
of the novel things about Defender ATP is it’s not an agent it’s not some piece
of code that we added as an afterthought what we actually do is we sit down with
all the key windows engineering teams and we brainstorm together what would be
the best way to alter the code of the operating system to get us the
information we need about attacks and we use red teaming past experience analysis
of real-world attacks to pinpoint those places in the operating
system that would be most beneficial to collect data and that’s sent into the
Microsoft cloud combined with the Intelligent Security Graph we can run
behavioral analytics indicators of attack machine learning algorithms and
that’s how you get all these awesome events that can tell you what’s going on
so if we now assume into the second attack which is that zero they attack in
the container we can see that Defender ATP recognizes this is in the container
so if we look at the timeline here we get a little indicator that says this is
activity that’s in the container and the entire machine time line both the host
and container events are together but one of the things that it’s uniquely
identified is there’s been a process privilege escalation and what we’ve done
here is we’ve used an anomaly algorithm to identify that Microsoft Edge went
from the lowest sandbox privilege level all the way to system and that should
never happen in a real environment right so we’ve picked up on that we can see
that the kernel has been spotted having an access token modified so it’s
actually been some kernel data corruption this is a bad day from a from
a normal perspective but with Aefender ATP we can immediately identify this
make a plan of action take additional automated actions on the machine like
investigate it collect additional forensics logs notify our teams and most
importantly with the click of a button we can use the host-based firewall to
isolate that machine so that further damage can occur so very cool so we’ve
seen some real-world attacks we’ve seen how in post breach you can fi things
with Windows Defender ATP being able to not only investigate but also contain
and even mitigate in certain cases those attacks yep so we’ve seen a great
explanation of all the different things that were protected with Windows 10
working folks go to learn more about the security stack well the good news is
there’s been numerous talks about Windows 10 security here at ignite so
that’s a great resource but I would say the best resource for learning how
Windows 10 mitigates the latest attacks is the Windows security blog which is
pretty easy to find and we’ll have the latest information on our products and
what you can do with them very cool and if you’re not on the windows insider
program you should be on that now and you can also get access to kind of the
earliest versions of these types of technologies the Application Guard for
example you can invoke that the kind of through the settings dialog
like you couldn’t for an example in private browsing instance that’s right
so it’s easy to start testing this stuff now thanks de for joining us great
overview of course about all the time we have for this episode of mechanics we’ll
see you next time thank you [Music]

No Comments

Leave a Reply