This video blog or vlog is showcasing the query we created to find possible evidence of anomalous behavior derived from the Dynoroot exploit. This exploit is described in detail here (https://nvd.nist.gov/vuln/detail/CVE-2018-1111#vulnCurrentDescriptionTitle).
This is a follow up on a recent Ziften blog (https://ziften.com/utilizing-windows-defender-atp-security-center-powerful-advanced-hunting/), which describes our contribution to the Advanced Hunting component of Microsoft’s Windows Defender ATP platform.
We are showing an attack / victim scenario utilizing the Dynoroot exploit. As we start the demo, you will see the attacker using dnsmasq to take the role of the DHCP server to inject arbitrary commands during the fulfillment of the request for an IP from the victim.
One of the commands sent down is a reverse shell so the attacker can gain remote access to the victim machine and run commands such as changing the root password.
Inside Windows Defender ATP, Ziften has added queries (advanced hunting) to find evidence of this attack. With the queries, we are looking for commands that have run from within the NetworkManager component to see if anything looks out of the ordinary.
After running the query you can see the processes and command line information for the reverse shell (bash -i) and the example of ‘cat /etc/hosts’.
By utilizing the Advanced Hunting interface, you have access to search across all your devices (Windows, macOS, and Linux) reporting into the Windows Defender ATP platform. This example is a Linux exploit and attack, and with Ziften, we provide Windows Defender ATP with the relevant system data for both Linux and macOS systems. We also contribute OS specific hunts to the shared repository, so the entire Windows Defender ATP community can benefit.
We will continue to add more vlogs to this series and look forward to your feedback.