Security News Coercing Machine Accounts Through Microsoft Defender for Endpoint

[Khushal]

Content source

https://www.youtube.com/watch?v=30Qiq_Gt_bA

Your EDR just coerced itself.
Drop a crafted LNK → MsSense.exe makes a CreateFile call → machine account hands over its Net-NTLMv2 hash over WebDAV → relay to LDAP → Shadow Credentials or RBCD.

No user interaction. No exotic exploit. Just vibes and a shortcut file.

If you're running Microsoft Defender for Endpoint, this one is literally about you.
Full attack + detection breakdown

 

[Parkinsond]

How many times we said "do not launch a lnk file you did not create your self"?

 

[ForgottenSeer 123960]

Executive Summary
The provided telemetry demonstrates a technique to weaponize Microsoft Defender for Endpoint (MDE) by dropping a crafted .LNK file pointing to an external WebDAV share.

Confirmed Fact
When MDE automatically scans the file, it is coerced into leaking the machine's NTLM hash, which is subsequently relayed to a Domain Controller to inject rogue Shadow Credentials.

Assessment
This constitutes a severe bypass of EDR defenses, turning a security control into a privileged credential leak vector within Active Directory environments.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1187
Forced Authentication

T1558
Steal or Forge Kerberos Tickets (via Shadow Credentials)

T1564.004
Hide Artifacts: NTFS File Attributes (LNK manipulation)

CVE Profile
N/A [Design Flaw] | CISA KEV Status: Inactive.

Telemetry & Artifacts

Process
"msense.exe" (MDE Sensor) making outbound DNS requests.

Process
rundll32.exe invoking C:\windows\system32\davclnt.dll,DavSetCookie with a target containing @80 (WebDAV).

AD Attribute
Modification of "msDS-KeyCredentialLink" on the target user/machine object.

Assessment constraint
The execution vector is manually simulated. In a real-world scenario, the structure resembles an attack where the .LNK file would be hosted on a network share or delivered via an archive to trigger the scan upon disk write.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Authorize an immediate review of Active Directory LDAP signing policies.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM query for Windows Security Event ID 5136 where Attribute equals "msDS-KeyCredentialLink".

Command
Deploy Sysmon Event ID 1 query for rundll32.exe command lines containing @80 and davclnt.dll.

Command
Deploy Sysmon Event ID 22 query for "msense.exe" initiating unexpected external DNS lookups.

RESPOND (RS) – Mitigation & Containment:

Command
Block outbound WebDAV (TCP 80/443 pointing to unknown external IP spaces) and outbound SMB (TCP 445) at the perimeter firewall.

RECOVER (RC) – Restoration & Trust

Command
Purge unauthorized "msDS-KeyCredentialLink" attributes from compromised Active Directory objects.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop:

Command
Enforce LDAP Signing and LDAP Channel Binding on all Domain Controllers to neutralize NTLM relay attacks.

Command
Implement the Protected Users Security Group for high-value administrative accounts.

Remediation - THE HOME USER TRACK (Safety Focus)

Note
The primary attack vector (Active Directory Relay via MDE) is structurally incompatible with standalone Home environments. Threat Level is Theoretical/Low.

Priority 1: Safety

Command
No emergency disconnection required. Windows Home does not natively utilize Enterprise AD attributes.

Priority 2: Identity

Command
Ensure your Microsoft Account uses a strong, unique password with hardware-backed MFA or authenticator app enabled.

Priority 3: Persistence

Command
Navigate to Settings > Privacy & security > Windows Security and ensure Real-time Protection remains active. Do not disable Defender, as the demonstrated attack targets Enterprise domains, not standalone workstations.

Hardening & References

Baseline
CIS Microsoft Windows Server 2022 Benchmark (Ensure 'Network security: LDAP client signing requirements' is set to 'Require signing').

Framework
NIST CSF 2.0 (PR.AC-01: Identity and credential management).

Reference
Microsoft Advisory on NTLM Relay mitigation and the configuration of LDAP Channel Binding.

Source

Coercing Machine Accounts Through Microsoft Defender for Endpoint

 

[Halp2001]

For regular users, the recommendation is to keep strong passwords, enable MFA (Multi-Factor Authentication), and never disable real-time protection in Defender or whichever antivirus you use. This way you cover the most important bases: secure credentials, double verification, and active defense against threats.