Contact Us

Enquiries

Whether you represent a corporate, a consultancy, a government or an MSSP, we’d love to hear from you. To discover just how our offensive security contractors could help, get in touch.




+44 (0)208 102 0765

Atlan Digital Limited
86-90 Paul Street
London
EC2A 4NE

Maldev Testing Environment

Atlan Team

Introduction: 

When conducting Red Team operations, it is extremely important to develop a testing environment that simulates your client's environment both for endpoint, domain authentication, and inbound email threat protection.

Fortunately Microsoft have made Microsoft 365 open to all potential customers, and therefore we can set up an environment with a Windows on prem DC, Office 365 and Advanced Threat Protection (ATP).

While this clearly does not cover all use cases, it is a suitable testing environment for our purposes and if you are able to get additional EDR solutions, then you can install them in parallel on the endpoints

Technical Dicussion

If we take a look at Microsoft's service offering it is important to be aware that when you are developing malware and testing on a trial or even licensed consumer version of a Windows 10/11 operating system, or a developer VM that you have downloaded; you are not actually testing against Microsoft's enterprise grade of malware analysis.

While you may succesfully bypass Defender on a vanilla Windows VM, be aware that when you actually deploy this implant on a client that is paying for a more expensive version of MS ATP then you will find your payloads fail.

This chart shows what each level of Microsoft's level of threat protection offers:

Microsoft 365 Office 365 EM+WORRY Windows 10
M365 Business Enterprise
F1
F3
Business
Premium
A1 *
E3
E3 +
(E5 Sec)
E3 +
(E5 Comp)
E5
Apps
Basic
Standard
Apps
F1
E1
E3
E5
E3
E5
Pro
E3
E5
MDO
P1 Anti-Phishing - - X - - X - X - - - - - - - X - - - - -
Anti-Spoofing - - X - - X - X - - - - - - - X - - - - -
Malware Detection - X X - X X X X X X X - X X X X - - - - -
Safe Attachments - - X - - X - X - - - - - - - X - - - - -
Safe Links - - X - - X - X - - - - - - - X - - - - -
P2 Attack Simulator - - - - - X - X - - - - - - - X - - - - -
Automated Investigation and Response - - - - - X - X - - - - - - - X - - - - -
Threat Intelligence - - - - - X - X - - - - - - - X - - - - -
                                               
Windows 10
Pro Azure AD Join X X X X X X X X - - - - - - - - - - X X X
BitLocker X X X X X X X X - - - - - - - - - - X X X
Manage with Intune X X X X X X X X - - - - - - - - - - X X X
Windows Hello for Business X X X X X X X X - - - - - - - - - - X X X
E3 Attack Surface Reduction Rules - X - - X X X X - - - - - - - - - - - X X
Universal Print - X X - X X X X - - - - - - - - - - - X X
Virtualization Rights - - - - X X X X - - - - - - - - - - - X X
WD Application Conrtol Guard - X - - X X X X - - - - - - - - - - - X X
WD Application Guard - X - - X X X X - - - - - - - - - - - X X
WD Credential Guard - X - - X X X X - - - - - - - - - - - X X
WD Device Guard - X - - X X X X - - - - - - - - - - - X X
WD Exploit Guard - X X - X X X X - - - - - - - - - - - X X
WD Remote Desktop Credential Guard - X - - X X X X - - - - - - - - - - - X X
AVD - X X - X X X X - - - - - - - - - - - - -
E5 Microsoft Defender for Endpoint - - - - - X - X - - - - - - - - - - - - X
                                             

 

As you can see in the table above, E3 and E5 are what are likely to be used by enterprise clients to ensure commerical threat protection if they have decided to utilise the Microsoft stack.

Therefore if you are developing your malware, it is prudent to test against either E3 or E5, and merely performing your testing (both inbound email and endpoint protection) on a Windows 10 VM without an enterprise license is going to end in failure.

This link here will allow you to deploy a full Microsoft 365 virtual lab on a free trial, to test both your implants and your inbound SMTP campaigns.

My post on implant development concerning Microsoft ATP here, and this Github repo relating to the ML involved in Microsoft's Exchange stack has done a lot of the heavy lifting for you to enable you, with confidence, to approach both implant development, and ensuring that your phishing emails are reaching their targets.

Happy hunting. 

Contact Us

How can we help?

Whether you represent a corporate, a consultancy, a government or an MSSP, we’d love to hear from you. To discover just how our offensive security contractors could help, get in touch.