Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Related work

Microsoft’s Protector is proficient at recognizing malware records, blocking misuses and network-based assaults, and hailing phishing destinations. It incorporates basic PC execution and wellbeing reports, as well as parental controls with substance sifting, utilization impediments, and area following. Antivirus software is fundamental if the user is utilizing a Mac or Windows device; both come with some level of infection assurance built in.^3,4,7 In order to build upon these protections and develop endpoint security, protection against malware and possibly undesirable programs, it is best to introduce a third-party antivirus application. Microsoft Guard was not present in the old versions of Windows operating systems, so users of Microsoft operating systems purchased or acquired an antivirus program for device protection. This has changed over time, and Microsoft has integrated an antivirus program to protect its operating systems and software running under them 10.^8,9

Microsoft now indirectly implies that when in the Microsoft system work environment, a user does not need the support of other companies for protection. Microsoft are now able to provide this protection to the end user utilizing Microsoft Protector. A user’s device, files, and data are under its protection from direct or indirect tampering.^10,11 In addition, it is now true that Microsoft Shield is sometimes seen as a competitor with decent protection capabilities when compared to the large security systems in the free antivirus world.¹⁰ This product has evolved significantly since being first developed due to Microsoft’s relentless pursuit of this product. This could be because it would prevent the company’s end users from buying protection products from other companies, which was clearly noted in the latest evaluations conducted by the main independent laboratories that conduct tests at fixed intervals to measure the readiness of antivirus applications.⁷ A test of these available antivirus systems was conducted in July and October 2020 by AV-Comparatives, showing that Microsoft’s performance improved considerably, and Microsoft was rated overall as ‘good’ as it was able to stop 99.5% of the risks, and in this test it came in twelfth place among 17 competing anti-virus programs.^22,23 In another similar evaluation conducted by SE Labs, Microsoft’s product scored 99%, making it the fifth out of 13 participants in the competition. In a further report on protection against intrusion, as of 2020, Microsoft ranked fourth; a result indicating its quality, especially considering the competition was with top providers in the antivirus industry.²⁴ The overall picture, therefore, is that Microsoft Guard is now more than robust in terms of protecting the user from hacking and malware. In short, according to Avira, we can say that Microsoft Protector may be sufficient for the user to satisfactorily protect their data, but it is also clear that it represents a reputable and reliable ‘non-free’ antivirus option.²⁵

With regards to users who do not have high levels of technical experience, it is difficult for them to correctly judge whether this product is sufficient to protect them or not. It can therefore represent an advantageous product for some, and a limited one for others. This difference depends on the way users navigate their computer hardware, software and the Internet.⁸ However, if the user can easily get a free protection program that meets their needs and does not put them at risk, then those can represent a suitable subscription for both experienced users and novice users.^7,8,10 Unfortunately, the area of antivirus software can also be used by malicious groups to distribute agents used to penetrate users’ systems. This has and will continue to occur, and therefore improved access to reputable antivirus programs for both ends of the market is a positive change.¹¹ However, it is also true that although Microsoft strives to maintain its reputation and increase the number of its users by providing products that meet user needs,³⁰ the findings from this paper prove with conclusive evidence that it is possible to bypass Microsoft Anti-Virus and take control of the device, just as the same device can then be used to hack the rest of the devices in the same infrastructure.

Steps

First step: update Kali Linux

In this step, we updated the Kali Linux system version 2022.1 to get the latest version of all the programs in the Kali Linux distribution; this can be done by typing the following command in the terminal “apt-get update”. Figure 2 shows the command used to update Kali Linux.

Figure 2. Updating Kali Linux.

Second step: installing CALDERA

Then, we proceeded to installing the CALDERA framework within the Kali distribution by using the following command “apt-get -y install caldera”. Figure 3 shows the command used to install CALDERA.

Figure 3. Installing CALDERA.

Third step: running CALDERA

Since CALDERA was integrated into the Kali repositories of the latest versions, this made it easy to install and run the CALDERA system from Kali Linux. After we installed CALDERA in the previous step, we then ran it via the command “caldera”. Figure 4 shows the command used to run CALDERA.

Figure 4. Running CALDERA.

Fourth step

After using the previous command, we obtained the login information to the CALDERA framework, red username and password, blue username and password. In this study, we logged in using the red user and password. Considering that CALDERA runs through port 8888, we could start CALDERA by going to the browser and typing the IP of the CALDERA device followed by the port as in the following example. http://192.168.0.14:8888/ or http://localhost:8888/

Red:

 USERNAME: red

 PASSWORD: je2nj8OypHUCp4fZiH08R9z0qDeKTD6vexftrOJ7Ru0

 API_TOKEN: Sugyhnx290IG3zAFgHh8wvx0zqWHh9yBICUHurcVkuk

We then logged into the CALDERA framework, and selected "Navigate", then "Agent", and then we chose the orange key on the left side “Click here to deploy an agent”; after that, we identified the agent kind “54ndc47. Finally, we specified the operating system as “Windows”. Depending on these settings, the CALDERA system generates a code to create a client to bypass the Windows Security system and get a direct connection to the victim’s machine as shown below:

($server="192.168.0.14:8888/";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc. Headers.add("platform","windows");$wc. Headers.add("file","sandcat.go");$data=$wc. DownloadData($url);$name=$wc. ResponseHeaders["Content-Disposition"].Substring($wc. ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");get-process|? {$_.modules.filename -like "C:\Users\Public\$name.exe"}|stop-process -f;rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data)|Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group red" -WindowStyle hidden;)).

Ethics approval

This study was approved by Rabdan Academy (Homeland Security (HLS) department), Abu Dhabi, United Arab Emirates.

Bypassing Windows security

Organizations may fail if they do not implement a solid approach against apt attack and confirmation controls may then permit an aggressor to evade verification. In addition, enemies may also evade the verification component through taking substantial victim sessions and cookies. It is also possible to avoid authentication powerlessness, which appears to permit assailants to perform different noxious processes by avoiding the device verification method. After performing this process, the primary concern is verification bypassing abuse, solely because of a powerless confirmation structure. Companies that fail to maintain a robust and secure infrastructure may create many conditions that allow an attacker to bypass verification.^5,6,38

In this study, CALDERA was used to send a single command to the victim’s device, and through it enable the opening of a session on the target device. This provided the hostname, username, privilege, group, and other sensitive information. Figures 3 and 4 show the command used to bypass Microsoft Windows security and take over the victim machine through got active session over victim machine. Figure 5 shows create agent from CALDEARA server for Windows operating system.

Figure 5. Creating an agent for a specific OS.

Following this, the green color batten was utilized (agent 16232) to open the operations screen; this provides considerable possibilities with regards to implementing all the tactics and techniques used by the offensive groups’ APTs. All this was performed without any warnings or messages identifying suspicious activity on the victim’s device, even though the version installed was recently updated to the latest one available. Figure 6 shows bypassing Windows security (connected with victim machine and take over through the agent).

Figure 6. Bypassing Windows Security (connected with victim machine and take over through the agent).

After bypassing the Windows security system by agent that was created by CALDERA and then applying the Collection tactic, gives us the ability to collect the entre files from the victim’s machine as shown in the following figure. Taking into account that attacker can use the same device to penetrate the rest of the devices and servers in the target infrastructure trough applying lateral movement tactic, credential access tactic, credential dumping technique. Figure 7 shows results from victim machine (paths to aggregated files).

Figure 7. Results from the victim machine (paths to aggregated files).

The next figure present example of results (paths to aggregated files).

As we can see, these paths have become compromised, and all files can be transferred to the attacker’s device.

C:\Users\engcn\Desktop\Results of APT Attack\

C:\Users\engcn\OneDrive\Desktop\CTIA\CTIA Lab Prerequisites\CTIA Lab Prerequisites\CTIA Desktop

C:\Users\engcn\OneDrive\Desktop\

The following figures shows the final report that was generated by CALDERA after bypassing Windows Security and getting files from the victim’s machine as shown earlier. The full report has been uploaded to the GitHub website as shown in the Data Availability section. The entire code for this study has been uploaded to GitHub and archived in Zenodo.

Figure 8. CALDERA commands/report.

Figure 9. CALDERA commands/report.

ATT&CK

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a database used by information security professionals to understand the methods and techniques used by high-level attack groups utilizing APT, and these groups may be funded by state actors to attack other countries or regions.³⁷ ATT&CK allows to develop new methods and plans to protect against attack groups. The most important thing distinguishing ATT&CK is that it is free and available for governments and private organizations.³⁵ It is possible to take advantage of this approach in order to develop interception methods and defensive plans against offensives by attack teams funded by state actors for espionage or sabotage purposes.³⁶ ATT&CK contains 14 tactics and more than 500 techniques to counter the attacks of these groups.³⁸ Figure 1 shows which tactics and techniques are designed based on MITER. Figure 10 shows ATT&CK tactics and techniques.

Figure 10. ATT&CK tactics and techniques.

Real scenario

In this scenario, Figures 8 and 9 illustrates how, through the application of CALDERA, it was possible to infiltrate all the data from the victim’s device after achieving the initial access, credential access, and using lateral movement tactics and techniques. Through using the indicial access (IA) tactic, the enemy attempts to create a ‘foothold’ inside the existing infrastructure to allow access into the target network. IA tactics are ultimately used to comprise the target infrastructure that access different passage paths, in order to establish an introductory, solid footing inside an arrangement. The strategies utilized to pick up a dependable balance incorporate a focus upon spear-phishing and abusing shortcomings on web servers’ interfaces. The privileges that were obtained at the beginning of the penetration stage greatly facilitated the upgrade process to obtain full privileges on the victim’s device, then completely manage the victim’s machine and use it to access the rest of the network resources. This may result in limited or no use after passwords have been changed. In this scenario, spear-phishing was conducted through normal commands, sent to the victim machine from the CALDERA attacker machine, in order to pick up get to casualty frameworks. Spear-phishing by incomes of value may be a particular variation of command execution. It is as diverse as most of the more common methods of spear phishing, in that it engages in taking advantage of third-party administrations, rather than specifically using project mail channels. All spear-phishing forms are electronically conveyed social building focused on a particular person, company, or industry. In this situation, enemies send messages through different social media administrations, individual webmail, and other non-enterprise-controlled administrations. These administrations are more likely to have a less-strict security arrangement than other undertakings. As with most types of spear-phishing, the objective is to create affinity with the target or develop the target’s intrigue and attention in a variety of ways. Figure 11 Windows defender, and firewall cannot detect the payload when APT used ATT&CK against target infrastructure.

Figure 11. Windows defender, and firewall cannot detect the payload.

Underlying data

All data underlying the results are included as part of the article and no additional data are required.

Extended data

Zenodo: Nachaat3040/CALDERA-Code-Bypassing-Microsoft-Windows-security-: Cyber Attack DOI: https://zenodo.org/record/6309927

This project contains the following extended data:

Analysis code available from: https://github.com/Nachaat3040/CALDERA-Code-Bypassing-Microsoft-Windows-security-/releases/tag/CALDERA

Archived analysis code as at time of publication: https://zenodo.org/record/6309927

License: MIT