Open diogo-fernan opened 3 years ago
that is a good point we should also add a note for the one that are running the kernel only like ATP. I will also add a note that some of them hook the target instead of the source (Like CISCO AMP that will monitor LSASS (dll injected)).
Looks like the same for Tanium:
C:\Users\avtest\Downloads>hook_finder64.exe c:\Windows\System32\ntdll.dll
Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFC70990000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFC6EA00000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFC6E250000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFC6F110000.
------------------------------------------
BASE 0x00007FFC70990000 MZÉ
PE 0x00007FFC709900E8 PE
ExportTableOffset 0x00007FFC70AE1180
OffsetNameTable 0x00007FFC70AE37A4
Functions Count 0x97f (2431)
------------------------------------------
------------------------------------------
Completed
ATP:
C:\Users\avtest\Downloads>hook_finder64.exe C:\windows\system32\ntdll.dll
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FF83E930000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FF83D040000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FF83C290000.
C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FF839920000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FF83E490000.
------------------------------------------
BASE 0x00007FF83E930000 MZÉ
PE 0x00007FF83E9300E8 PE
ExportTableOffset 0x00007FF83EA81180
OffsetNameTable 0x00007FF83EA837A4
Functions Count 0x97f (2431)
------------------------------------------
------------------------------------------
Completed
Cisco Secure Endpoint (former AMP):
Completed
Is Microsoft defender for endpoint basically identical to windows defender but with a central console?
More or less. Windows Defender is the (traditional) antivirus component of the MDE platform, the latter which also incorporates the EDR features. Almost everything is consolidated into a central console except for some Windows Defender antivirus settings that are still managed via SCCM or Intune.
most of the bypass that work on the standard version will work against the enterprise version. Keep in mind that if you want to land your payload these will help but the tricky part is the post exploitation detection capabilities added by MDE.
you need to evade it with whatever you do after the execution too not just on disk.
Wanted to share that Microsoft Defender for Endpoint (MDE) (previously known as Advanced Threat Protection (ATP)) is embedded within the operating system and does not seem to hook anything on
ntdll.dll
. Perhaps you might want to add that to the list despite the empty output.