A colleague asked me today “Does Microsoft Defender run itself in a sandbox by default, or does that need to be manually enabled?”

He was referring to a breakthrough feature first announced (here) two years ago (10/26/2018)

We all know Defender can detonate files in a cloud sandbox – but we are talking about Defender running *itself* (MSMPENG.EXE) inside a sandbox.

This was a big deal at the time it was announced, because Defender was the first Antivirus product to run *itself* in a sandbox. I had read reports that 30% of all malware targeted security software since it runs with such high privileges, so this was and is a very big deal.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event that Defender itself has vulnerabilities and becomes compromised, malicious actions are limited to the isolated environment, protecting the rest of the system from harm, since Defender runs with such high system privileges.

This feature is enabled with a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and then restarting the machine (System requirement: Windows 10, version 1703 or later)

How can I tell if Defender is running itself in a Sandbox? Check task scheduler and if you see “CP.exe”

Sysinternals will show “App Container” 

You can also run CMD.exe followed by the SET command by itself to see if the environment variable is present:

So the question is, has Microsoft now built this into the operating system by default?

I created some fresh Win10 VM’s with Defender and did not see the CP.exe tailing process name.

So my big question is: why after two years hasn’t it been turned on by default? Is Microsoft aware of any risks or problems when this is enabled? And why is there no MEM/Intune configuration to enable this setting?

[Update: pass-the-PRT (CVE-2021-33779) has been patched in the July 13 2021 Windows 10 cumulative security patch (KB5004237)]

The Azure AD Primary Refresh Token (PRT) can be extracted using ROADtools, written by security researcher Dirk-jan Mollema and recently weaponized into Mimikatz by Benjamin Delpy.

With local Administrator privileges it becomes possible to extract the PRT and the required cryptographic material to sign in on any Azure AD connected resource with the account to which the PRT was issued. The PRT is valid for 14 days and can be used on any device in this time-frame. Any MFA claims that were assigned to the PRT remain valid as well.

It’s important to understand exactly how this attack works so that you can test your defenses against it. You should never assume that your defenses are adequate. Just like a backup is not good unless it is restored, your defenses are not good unless you test them frequently and thoroughly.

A PRT is only issued to native apps (like the full Outlook client) on Azure AD Registered, Azure AD Joined, or Hybrid Azure AD joined devices. A browser session on a workgroup machine will not receive a PRT. To learn more about how PRT’s are issued, see this article: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

The attacker runs a few mimikatz commands:

privilege:debug
sekurlsa::cloudap

The PRT can then be imported into Chrome as a cookie:

And this allows the attacker to sign in as the user, even if their device is not Intune compliant or Hybrid Azure AD joined.

Defending against Pass-the-PRT

There are ~15 Attack Surface Reduction Rules (ASR) in Windows 10. The following rule can be enabled in Audit or Block mode. We strongly recommend Audit mode first because Block mode may block legitimate processes that you will need to exclude before deploying this in production. On a single test machine you can run this command for audit mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions AuditMode

And this command for block mode:

Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled

And when this ASR rule is enabled, we can see that Mimikatz is unable to dump the PRT

Normally this should get logged as Event 1121 (Block) or 1122 (Audit) in the Event Viewer: Microsoft-Windows-Windows Defender/Operational

Or if you have Microsoft Defender ATP then in the Timeline view you can filter on ASR Events:

Recommendations

1. Do not grant users local administrator privileges

2. Enable Tamper Protection in Windows Defender. It is more difficult for Mimikatz to run when Defender AV is running.

3. Enable Attack Surface Reduction Rules (ASR)  to block access to LSASS.exe