Hack to Basics – Adapting Exploit Frameworks to Evade Microsoft ATP

Many pentesters are avoiding existing frameworks due to security improvements from Microsoft and smarter practices by network Admins. Red teams don’t have to throw away existing tools because their attacks are being thwarted and contrary to belief, Powershell is not dead. We updated existing tools and demonstrated that they can still be used to launch successful attacks. We would want to get back to the basics and demonstrate that successful attacks are still possible by modifying tools like Empire.

 Our pentest used open-source intelligence (OSINT) to learn a ridiculous amount about our targets to launch spearphishing attacks. We used a targeted macro enabled doc to launch our Powershell code, which we developed from a complex academic process (failures, more obfuscation, more failures, success, ????, and Profit).

 We will go over the methods employed by Microsoft Advanced Threat Protections (ATP) in both their antivirus and their sandbox environment, how we enumerated, and characterized their system to avoid detection. In addition, we avoided detection from Darktrace on a commercial network by masking our JA3 signature and weaponized Microsoft Azure for our covert C2 channel. In the end, we were able to launch a successful attack again a large company using Empire and our wits.