silverhack / monkey365

Monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Microsoft Entra ID security configuration reviews.
https://silverhack.github.io/monkey365/
Apache License 2.0
812 stars 91 forks source link

[Bug]: MDE / EDR blocks executing this script/function. This morning it was working fine. This evening it's blocked. #20

Closed hardinxcore closed 2 years ago

hardinxcore commented 2 years ago

image

silverhack commented 2 years ago

Hey and thanks a for submitting this. I can’t reproduce it but without more information probably the tool is trying to save logs in %system32% due to elevated execution init. Please note that monkey 365 is designed to work in non-elevated PowerShell session. Could you please try again? Also it would be great if you can also share the code which is causing the exception.

More information regarding log naming convention here:

https://silverhack.github.io/monkey365/logging/File/

thanks

hardinxcore commented 2 years ago

After installing Monkey365 I execute(d) this lines:

MS365

$param = @{ Instance = 'Office365'; Analysis = 'SharePointOnline'; PromptBehavior = 'SelectAccount'; IncludeAzureActiveDirectory = $true;

ExportTo = 'PRINT';

#ExportTo = 'CLIXML,EXCEL,CSV,JSON,HTML';
ExportTo = 'HTML';

} $assets = Invoke-Monkey365 @param

Azure

$param = @{ Instance = 'Azure'; Analysis = 'All'; PromptBehavior = 'SelectAccount';

subscriptions = 'x-x-x-x-x';

all_subscriptions = $true;
TenantID = 'x-x-x-x-x';
#ExportTo = 'PRINT';
#ExportTo = 'CLIXML,EXCEL,CSV,JSON,HTML';
ExportTo = 'HTML';

} $assets = Invoke-Monkey365 @param

silverhack commented 2 years ago

Hi. Could you please test it in other environments, such as a new PowerShell console? More info is needed, for example the EDR log. The tool is not reading any raw keystroke data, and is not hooking any API call from the system. Also the tool is heavily tested in multiple OS, with multiple configurations and AV solutions and for that reason I think that it could be a false positive.

Thanks

silverhack commented 2 years ago

Hi @hardinxcore, is there any update on this?

Thanks in advance

hardinxcore commented 2 years ago

I have to find time to run this within a vm without MDE running. I hope to do this on Monday.

My Win11 laptop with MDE is still blocking this.

silverhack commented 2 years ago

Hi @hardinxcore thanks for quick response. It's really appreciated.

I was able to reproduce the issue with EDR. In my specific lab, apart from Invoke-MonkeyLogger, there were some files detected as potentially malicious, as shown below:

FalsePositive FalsePositive2

So I would recommend to mark these files as a False positive, as these functions are designed to perform internal tasks, such as converting GUIDs to names, logging utilities to forward logs to Teams or Slack, or HTML utilities to convert metadata to tables.

I can confirm that it's a false positive in Microsoft Defender. Feel free to analyze the source code or to send files to MS for review.

More information regarding False/True positives in Microsoft Defender is showing here:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide

Thanks,