[Bug]: MDE / EDR blocks executing this script/function. This morning it was working fine. This evening it's blocked.
hardinxcore opened this issue · 6 comments
Hey and thanks a for submitting this. I can’t reproduce it but without more information probably the tool is trying to save logs in %system32% due to elevated execution init. Please note that monkey 365 is designed to work in non-elevated PowerShell session. Could you please try again? Also it would be great if you can also share the code which is causing the exception.
More information regarding log naming convention here:
https://silverhack.github.io/monkey365/logging/File/
thanks
After installing Monkey365 I execute(d) this lines:
#MS365
$param = @{
Instance = 'Office365';
Analysis = 'SharePointOnline';
PromptBehavior = 'SelectAccount';
IncludeAzureActiveDirectory = $true;
#ExportTo = 'PRINT';
#ExportTo = 'CLIXML,EXCEL,CSV,JSON,HTML';
ExportTo = 'HTML';
}
$assets = Invoke-Monkey365 @param
#Azure
$param = @{
Instance = 'Azure';
Analysis = 'All';
PromptBehavior = 'SelectAccount';
#subscriptions = 'x-x-x-x-x';
all_subscriptions = $true;
TenantID = 'x-x-x-x-x';
#ExportTo = 'PRINT';
#ExportTo = 'CLIXML,EXCEL,CSV,JSON,HTML';
ExportTo = 'HTML';
}
$assets = Invoke-Monkey365 @param
Hi. Could you please test it in other environments, such as a new PowerShell console? More info is needed, for example the EDR log. The tool is not reading any raw keystroke data, and is not hooking any API call from the system. Also the tool is heavily tested in multiple OS, with multiple configurations and AV solutions and for that reason I think that it could be a false positive.
Thanks
Hi @hardinxcore, is there any update on this?
Thanks in advance
I have to find time to run this within a vm without MDE running. I hope to do this on Monday.
My Win11 laptop with MDE is still blocking this.
Hi @hardinxcore thanks for quick response. It's really appreciated.
I was able to reproduce the issue with EDR. In my specific lab, apart from Invoke-MonkeyLogger, there were some files detected as potentially malicious, as shown below:
So I would recommend to mark these files as a False positive, as these functions are designed to perform internal tasks, such as converting GUIDs to names, logging utilities to forward logs to Teams or Slack, or HTML utilities to convert metadata to tables.
I can confirm that it's a false positive in Microsoft Defender. Feel free to analyze the source code or to send files to MS for review.
More information regarding False/True positives in Microsoft Defender is showing here:
Thanks,