MDE/ATP

[diogo-fernan]

Wanted to share that Microsoft Defender for Endpoint (MDE) (previously known as Advanced Threat Protection (ATP)) is embedded within the operating system and does not seem to hook anything on ntdll.dll. Perhaps you might want to add that to the list despite the empty output.

[Mr-Un1k0d3r]

that is a good point we should also add a note for the one that are running the kernel only like ATP. I will also add a note that some of them hook the target instead of the source (Like CISCO AMP that will monitor LSASS (dll injected)).

[fastlorenzo]

Looks like the same for Tanium:

C:\Users\avtest\Downloads>hook_finder64.exe c:\Windows\System32\ntdll.dll
Loading c:\Windows\System32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFC70990000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFC6EA00000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFC6E250000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFC6F110000.
------------------------------------------
BASE                    0x00007FFC70990000      MZÉ
PE                      0x00007FFC709900E8      PE
ExportTableOffset       0x00007FFC70AE1180
OffsetNameTable         0x00007FFC70AE37A4
Functions Count         0x97f (2431)
------------------------------------------
------------------------------------------
Completed

ATP:

C:\Users\avtest\Downloads>hook_finder64.exe C:\windows\system32\ntdll.dll
Loading C:\windows\system32\ntdll.dll
HookFinder Mr.Un1k0d3r RingZer0 Team
C:\Users\avtest\Downloads\hook_finder64.exe is loaded at 0x0000000000400000.
C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FF83E930000.
C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FF83D040000.
C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FF83C290000.
C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FF839920000.
C:\Windows\System32\msvcrt.dll is loaded at 0x00007FF83E490000.
------------------------------------------
BASE                    0x00007FF83E930000      MZÉ
PE                      0x00007FF83E9300E8      PE
ExportTableOffset       0x00007FF83EA81180
OffsetNameTable         0x00007FF83EA837A4
Functions Count         0x97f (2431)
------------------------------------------
------------------------------------------
Completed

[icaman]

Cisco Secure Endpoint (former AMP):

C:\Users\Admin\Downloads>hook_finder64.exe C:\windows\system32\ntdll.dll Loading C:\windows\system32\ntdll.dll HookFinder Mr.Un1k0d3r RingZer0 Team C:\Users\Admin\Downloads\hook_finder64.exe is loaded at 0x0000000000400000. C:\Windows\SYSTEM32\ntdll.dll is loaded at 0x00007FFD99D90000. C:\Windows\System32\KERNEL32.DLL is loaded at 0x00007FFD99BF0000. C:\Windows\System32\KERNELBASE.dll is loaded at 0x00007FFD975D0000. C:\Windows\SYSTEM32\apphelp.dll is loaded at 0x00007FFD94CE0000. C:\Windows\System32\msvcrt.dll is loaded at 0x00007FFD99CB0000.

BASE 0x00007FFD99D90000 MZÉ PE 0x00007FFD99D900E8 PE ExportTableOffset 0x00007FFD99EE1180 OffsetNameTable 0x00007FFD99EE37A4 Functions Count 0x97f (2431)

---

Completed

[diogo-fernan]

Is Microsoft defender for endpoint basically identical to windows defender but with a central console?

More or less. Windows Defender is the (traditional) antivirus component of the MDE platform, the latter which also incorporates the EDR features. Almost everything is consolidated into a central console except for some Windows Defender antivirus settings that are still managed via SCCM or Intune.

[Mr-Un1k0d3r]

most of the bypass that work on the standard version will work against the enterprise version. Keep in mind that if you want to land your payload these will help but the tricky part is the post exploitation detection capabilities added by MDE.

you need to evade it with whatever you do after the execution too not just on disk.