A few years ago, I was on the defense team when a pentest was ongoing on one of our website. This website, coded in C#, was hosted on Windows and had Windows Defender activated.
During the pentest, the attacker had access to the CMS. He discovered that he could upload his own plugins, giving him Remote Code Execution (RCE) on the server. Happy with this discovery, he started his C&C server (it was PowerShell Empire 2 at the time), crafted a payload and launched the result in a C# wrapped plugin and then… nothing.
As some of you may know, C#, PowerShell and Defender all love to work together. That’s because the .NET framework is now tightly integrated with Windows Defender. When sending the payload, Defender could see and block the attack.
So all the attacker had to do was to modify his payload until it passed all the checks Defender does. After a few hours, he had a complete reverse shell (although restricted to the IIS user).
From the defense point of view, the fact that Defender did his job is perfect. But the fact that we didn’t know Defender blocked a file-less attack and we only learned it when we receive the report should be considered a disaster. It means your AV is useless because an attacker has all the time he needs to craft his attack.
From this point, the next steps where clear, we needed to receive an alert when a virus was detected. And maybe on other suspicious behavior? That’s when I discovered what is a SIEM!
If you wan’t to know more about what is a SIEM and how to use it, you can read my blog posts on the subject starting with: SIEM 101 — Introduction