On part 1 of this series i went through the configuration of the new Windows Defender ATP service, in this blog post i will move forward and try a demo attack and how its analyzed in the ATP portal.

For more Info please check Part 1


The main goal of this article is to understand how the attacks are reported and how to analyze and move through the ATP portal. Microsoft did a good job and provided a Do IT Yourself (DIY) document for any user who is undergoing ATP trial. These are safe Scenarios with no harm to test and explore the functionality of ATP (Only to be used on test environments)

So based on this DIY attack scenario document, the attack sequence is as follows:

  1. User will receive a link in the email (Typical type of attack) that will ask him to download a normal word file. This “Fake” word document has a bad fake macro that drops malicious executable file on your machine.                                                                                                                                                                                                                                                         Few points to consider here is that the attacker will search on the best user who can click this link without hesitation. The attacker need to target specific profile users who won’t take security seriously. The number one source to get this information on your users, their interests is the social media as LinkedIn and Facebook. User might be huge football fan and the whole document/process will be geared towards this interest (Targeted attacks). A very nice tool that can help you in scanning each and every link in your email is the Office 365 Advanced Threat Protection which is different that the Defender ATP as i explained in my first blog.                                                                              
  2. This executable will open a backdoor that allows the attacker to run commands on the victim machine. In our test scenario (Microsoft DIY document) it will open Power Shell.                                                                
  3. Last step will be running couple of reconnaissance commands, copying few files and getting some system info to complete the scenario. In real life scenarios this can be wiping your hard disk or encrypting it (Ransomware)
So in our case i received the file, opened it and its done, the executable will run and session will be open with the attacker server and i am completely hacked.
So let us take a look on the ATP Portal dashboard after simulating the attack.

An active alert is displayed showing that a Right to Left Override technique is used. Right to left is an encoding mechanism for those who writes from Right to Left as the Arabic Language, the problem is that you can use this method to hide something bad and show it in another state. In our case the malware was hidden in this file and using this technique it was shown to users as word file which they didn’t suspect and opened it.

For more info on the RLO, please check the below link


You can click on this warning which will dive in more details on how this attack occurred and how it was triggered on the user machine and which applications were used……..etc

This will give you more info on the attack and how it was triggered on the user, starting by getting it from outlook.exe, then opening the email and clicking on the attachment which opened the word file with the malware that loaded the powershell. This is a complete detailed tree of the attack process using the RLO technique.

We can also check the machines and open this suspected machines to check other event as shown below:

The machine view will display all attacks, warnings and event on this machine. Other stages of our attack scenario is listed here. The RLO technique, Hiding files, running suspicious Power shell and running some commands (The whole picture)

Of course you can configure the ATP to send you email alerts once these attacks are listed and reported.

One important thing to note about Windows Defender ATP is that its an EDR product (Endpoint Detection and Response). Its a behavior based and it takes some time to detect these attacks that other real time protection tools as Antivirus, Firewalls……..etc.

Detection will vary based on the complexity of the attack. If its a simple attack it will be displayed on the ATP portal in no time. If its very complex it will take some time before it show up on the portal as it need more time for analysis.

ATP team is working hard on improving this accuracy and adding integration to other services as Office 365 and Microsoft ATA solution.

I would highly recommend going on a trial and checking this nice solution. The industry average standard to detect a breach without EDR is 146 days so definitely detecting them in few hours using ATP will add more defense to your current environment.

Hope this post was helpful and enjoy your ATP trial.