Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint

Post-Image

Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint

At FalconForce, we like to understand the tools that we work with. One of the tools we use a lot on the blue side is MDE: Microsoft Defender for Endpoint, formerly Microsoft Defender ATP. In an effort to to understand how MDE sends logs to the M365 cloud environment, we found a nice trick to debug protected processes, as well as a vulnerability in MDE that was reported to Microsoft back in August 2021 and received CVE-2022–23278.

This will be a blog post in three parts. First, some tips and tricks to debug protected processes. Then we will dive into the actual vulnerability that we discovered once the MDE process could be properly debugged. And finally we will have a quick look at the fix that Microsoft made to address the vulnerability.

TL;DR — You can debug MDE running on an endpoint by running dbgsrv.exe and raising its PPL protection to WinTcb. This can be used to snoop on data being transmitted by MDE to the cloud. We identified a vulnerability related to missing authorization checks of data sent from the MDE endpoint to the M365 cloud, allowing anyone to send spoofed data to any M365 tenant.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/debugging-the-undebuggable-and-finding-a-cve-in-microsoft-defender-for-endpoint-ce36f50bb31