Microsoft Defender for Endpoint does a great job of ensuring the integrity of the scripts they push and execute.
First, they ensure that the script to execute matches the expected file hash. Example:
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' }"
Cleaned up PowerShell:
& {
$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8
$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read)
$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256
if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) {
exit 323; # ERROR_DATA_CHECKSUM_ERROR
}
. 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1'
}
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection
is also only accessible by SYSTEM.
Also, each script is signed with a Microsoft Windows Defender Advanced Threat Protection
certificate which makes validation and enforcement with application control so much easier!
> Get-AuthenticodeSignature 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1 | Select-Object -ExpandProperty SignerCertificate | Format-List *
EnhancedKeyUsageList : {Code Signing (1.3.6.1.5.5.7.3.3), 1.3.6.1.4.1.311.76.47.1}
DnsNameList : {Microsoft Windows Defender Advanced Threat Protection}
SendAsTrustedIssuer : False
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 1/27/2022 3:50:22 PM
NotBefore : 1/28/2021 3:50:22 PM
HasPrivateKey : False
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 6, 21...}
SerialNumber : 3300000205FC5081544065EFB0000000000205
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : 1FF064E13C25D7B5C83549F1562DD64181C4443A
Version : 3
Handle : 3221047460208
Issuer : CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject : CN=Microsoft Windows Defender Advanced Threat Protection, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Here is a link to 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1
in VT: https://www.virustotal.com/gui/file/d871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803/details
And because the scripts are signed, I can allow all of them to execute in a robust fashion with WDAC. This is the code integrity policy that I merged into my master policy that allows these scripts to execute:
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules />
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules />
<!--Signers-->
<Signers>
<Signer ID="ID_SIGNER_DEFENDER_FOR_ENDPOINT" Name="Microsoft Code Signing PCA 2011">
<CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
<CertPublisher Value="Microsoft Windows Defender Advanced Threat Protection" />
</Signer>
</Signers>
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 10-27-2021">
<ProductSigners />
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 10-27-2021">
<ProductSigners>
<AllowedSigners>
<AllowedSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
</AllowedSigners>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners>
<CiSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
</CiSigners>
<HvciOptions>0</HvciOptions>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
</SiPolicy>
Yeah, we've missed it for the longest time too. We stumbled upon it when investigating another issue. When we enabled transcript logging we found our issue, but immediately show a bunch of MDE scripts blocked too. We've reported it, but the general feeling appeared to be that it doesn't really hurt functionality. I've tried using advanced hunting to show some of the data they appear to collect, but even on a system without wdac I can't see that data. It's unclear to me what they're collecting it for and where they store it.
Thanks for the swift responses, was wondering whether you'd found some magic.