The Proof is in the Pudding: EDR Configuration

Versus Ransomware

Author: Benjamin Powell, [email protected]

Advisor: Dr. Johannes Ullrich

Accepted: October 24, 2024

Each Endpoint Detection and Response (EDR) tool is slightly different in its
functions and operations but is similar in its goal. Can an analysis of the methodology be
completed to arm network defenders with the ability to prove the configuration of the
EDR through empirical testing of the tool? Defender for Business and Wazuh will be
deployed, and mimicked ransomware attacks will be conducted. For a simulated attack,
Akira Ransomware activity and Atomic Red Team atomic tests were mapped to MITRE
ATT&CK from TA001: Initial Access through TA040: Impact. Testing was performed
where Akira and the Atomic Red Team overlapped. Previous research completed by
Karantzas, G., & Patsakis, C. in 2021 and Adam Fowler in 2023 proves that EDR tools in
a default state will prevent and detect some attacks. Their research does not delve into
the configuration of the tools themselves. Looking for commonalities in EDR
configurations can increase network defenders' understanding of tool operations,
allowing for additional expertise in alert remediation.
 Proof is in the Pudding: EDR Configuration versus Ransomware 2

1. Introduction
An alert from the SQL database pops up within the SIEM Security Operations
portal. Based on the deployed Endpoint Detection and Response (EDR) tool, an
automatic quarantine occurred on a machine infected with Akira Ransomware. This
action drops it off the network, preventing the spread of the ransomware. Upon accessing
the EDR console, alerts populate the console for database file extensions ending with
“.akira”. CISA published an activity alert from the #StopRansomware campaign, AA24-
109A (CISA, 2024), that briefed that Akira is ransomware that targets many businesses in
North America, Europe, and Australia for financial gain.

Often, organizations don’t realize they have gaps in security controls until it’s too
late. The blind reliance on EDR solutions deployed in a default state may not properly
alert the business to events of interest. This research will test the default deployment of
Microsoft Defender for Business (Defender), a subscription-based Endpoint Detection
and Response tool, and Wazuh, an open-source XDR and SIEM when Akira ransomware
is simulated on the victim machines. Changes will be made to the EDR systems to detect
any missed activity, and any similarities in configuration methodology will be recorded.

Endpoint Detection and Response (EDR) can be defined as a technology used to

monitor events on an endpoint. An endpoint is usually considered a laptop, desktop,
phone, or any other device that can run the software. Allegedly coined in 2013 by Anton
Chauvakin of Gartner Endpoint Detection and Response, Microsoft defines an EDR
solution as “a cybersecurity technology that continuously monitors endpoints for
evidence of threats and performs automatic actions to help mitigate them” (Microsoft
Security, 2024). EDR solutions log and analyze system behavior using multiple vectors
such as system log analysis, malware signature, and user behavior analysis. Based on
Microsoft Defender for Business documentation, the following manual actions are
available: Run an antivirus scan, Isolate the device, Stop and quarantine a file, and Add
an indicator to block or allow a file.

Out-of-the box, EDRs are only configured to detect or block some attacks. A
database or list of attacks blocked would be releasing trade secrets and would make it
easier for threat actors to bypass the tool if they know what activity creates what

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 3

alerts. Organizations deploying the EDR must do so in a way that ensures the security
goals of the business are met. Regardless of vendor, can a common EDR configuration
methodology be applied across alerts or block known payloads? This research works to
determine if there are commonalities between the chosen EDR tools that allow for any
configuration best practices to be created to assist with the intervention of the threat
activity. This research will investigate the default configuration of EDRs and what
configuration changes result in successfully detecting and blocking these payloads. If
there are commonalities between the configuration of the platforms, then some vendor-
agnostic guidance can be published to assist with mitigating known payload types.

1. Testing Structure
A few requirements need to be met to understand if there is a common
configuration methodology for EDRs such as selecting and installing the EDRs on test
machines, defining threat actor activity, and executing the activity. Finally, the results of
the detections need to be recorded, and modifications to the EDRs must be made. This
can be accomplished on a single target machine through the usage of a threat actor
activity testing framework like Atomic Red Team. This will allow MITRE mapped
threat activity to be executed on the target system, mimicking a threat actor.

1.1. Endpoint Detection and Response Tools

There are many options within the EDR space. The EDR choices for this research
were focused on targeted solutions for small and medium businesses. Defender for
Business was selected as the top choice for Microsoft endpoint security solutions for up
to 300 employees (Chrisda,2024). Microsoft Defender for Business is a simple-to-deploy
security product with an immense documentation portal. Defender is an agent-based
cloud-native security suite built into Windows products; however, Defender for Business
has agents available for the major operating systems outside of Windows, MacOS, and
Linux. An open-source comparison point was desired, and Wazuh was chosen as a well-
known open-source cybersecurity used by multiple Fortune 500 companies as shown in
Figure 1.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 4

Figure 1: Wazuh Homepage

Wazuh provides a security monitoring solution for threat detection, integrity
monitoring, incident response, and compliance in a simple-to-deploy agent-based
package.

Given the compatibility of Microsoft Defender with Windows, Linux, and Mac
OS, Windows, Microsoft Defender for Business was chosen as the product that Microsoft
offers the most coverage for minimal cost to the organization. An open-source option,
Wazuh was chosen for ease of deployment and similar operation to Windows Defender
for Business with a unified XDR and SIEM platform. Based on Wazuh’s website, it is
used by Cisco, eBay, NASA, Home Depot, SalesForce, and Walgreens, among others.
This shows that some large multi-national networks use this system to handle the
business's Endpoint Detection and Response.

1.1.1. EDR Operation

Computers are segmented into two areas programs or applications can operate
within— userland and the Kernel. In most instances, computer programs code and EDR
system event capture occurs between the userland and kernel. Most EDRs intercept the
functions sent to the kernel from userland through a hook. This hook will redirect the
process through another function using a jump instruction. This function will be
“hooked,” and the process instructions will be passed through the EDR modules for
inspection. Each EDR vendor has uniquely defined what functions to hook, and these
hooked functions undergo inspection for sequencing, context, parameters, and other
system calls before being passed to the Kernel for execution.

1.2. Microsoft Defender for Business

Defender is fully integrated into the Windows operating system from the
beginning, unlike most other EDR tools. The Microsoft 365 Defender Portal at
“security.microsoft.com” provides security analysts and security engineers with a

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 5

centralized location for system event logging and alert aggregation. The reports and
dashboards can also provide data visualization, incident hunting, and security response.

According to the Microsoft Defender for Endpoint Architecture documentation,

the endpoint sensors gather events from Threat and Vulnerability, Attack Surface
reduction, Exploit Protection, hardware-based isolation, application control, Network
Protection, Firewall, Browser Protection, Next-gen AV Protection, EDR behavioral
sensors, EDR response controller and update service (Chrisda,2024). Microsoft Defender
for Business can collect sample files and provide isolation from the network; however, all
these controls are not enabled out-of-the-box on each sensor deployment, and some may
require additional subscriptions.

There is no published list or database of alerting for Microsoft Defender for

Business. However, Microsoft maintains an Indicators of Attack (IOA) dictionary within
each tenant, including heuristics, behavioral rules, machine learning, and anomaly
detection. These capabilities, supplemented with the Microsoft cyber threat intelligence
integration, create a product that can leverage the global data pool to locate anomalies
and apply those detections across all tenants, bolstering all customers’ endpoint defenses.

1.3. Wazuh
Wazuh XDR and SIEM have a multipart configuration since they operate with an
SIEM built of the Wazuh server, Indexer, and dashboard, although these may live on the
same device. The Wazuh manager is responsible for providing data analysis and
alerts. There are multiple methods by which alerts may be passed to the
analysts. Wazuh’s data ingestion is built on the Elastic stack using a Filebeat to ship data
from the Manager to the Indexer for indexing and storage. The final piece is the Wazuh
Dashboard, where prebuilt and custom queries can be written to pull the relevant data to
the analysts.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 6

Figure 2: Wazuh Data Flow

The Wazuh agent is deployed to the source devices from the web console with an
automatically generated command to download the agent. Wazuh offers Windows, Mac
OS, Solaris, AIX, HP-UX, and Linux agents. (Wazuh, 2024) The operating system agent
compatibility coverage and being a free, open-source software make it a strong
competitor in the market. However, like with many open-source software, it will require
human resourcing to deploy, test, and maintain proper alerting.

1.4. Akira Ransomware

Arriving on the ransomware scene in March 2023, Akira is a ransomware strain that will
use compromised credentials to access VPNs for initial access and then use public tools
and techniques for lateral movement and discovery. (MITRE,2024) This ransomware
strain was chosen because of its relevance in time to this testing. As of September 2024,
Akira is continuing operations impacting multiple business sectors. MITRE associates
the Threat Actors Gold Sahara and Punk Spider with this ransomware. Additionally,
within the AtomicRedTeam tests is an atomic, T1486 test 10. This atomic test drops 100
files with random content with the “.akira” extension. From MITRE reporting, Akira is
known to use the following techniques: (MITRE, 2024)

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 7

ID Name Use
T1531 Account Access Removal Akira deletes administrator accounts in victim
networks before the encryption .
T1560.001 Archive Collected Akira uses utilities such as WinRAR to archive data
Data: Archive via Utility before exfiltration.
T1486 Data Encrypted for Impact Akira encrypts files in victim environments as part
of ransomware operations.
T1213.002 Data from Information Akira has accessed and downloaded information
Repositories: Sharepoint stored in SharePoint instances as part of data
gathering and exfiltration activity.
T1482 Domain Trust Discovery Akira uses the built-in Nltest utility or tools such
as AdFind to enumerate Active Directory trusts in
victim environments.
T1567.002 Exfiltration Over Web Akira will exfiltrate victim data using applications
Service: Exfiltration to Cloud such as Rclone.
Storage
T1133 External Remote Services Akira uses compromised VPN accounts for initial
access to victim networks.
T1657 Financial Theft Akira engages in double-extortion ransomware,
exfiltrating files then encrypting them, to prompt
victims to pay a ransom.
T1219 Remote Access Software Akira uses legitimate utilities such as AnyDesk and
PuTTy for maintaining remote access to victim
environments.
T1018 Remote System Discovery Akira uses software such as Advanced IP Scanner
and MASSCAN to identify remote hosts within
victim networks.
T1078 Valid Accounts Akira uses valid account information to remotely
access victim networks, such as VPN credentials.

Based on this report, the techniques chosen to test the EDRs are listed in Appendix
A. Only the Tactics used by Akira Ransomware were used to define the atomic tests to
provide comprehensive technique coverage. TA:0010 Exfiltration had no Atomic Tests
defined that applied to Akira activity so this tactic was untested.

1.5. Atomic Red Team

Atomic Red Team is a tool maintained by Red Canary that contains a library of
commands and software mapped to the MITRE ATT&CK Framework to be used by
security teams to quickly and reproducibly test their systems (Canary,2024). These tests
are executed through a PowerShell Framework maintained by Red Canary,
InvokeAtomicRedTeam. Atomic tests span many different MITRE tactics and

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 8

techniques and are continually updated, allowing atomic tests from others to be
executed. Atomic tests can be written by anyone and imported into the
InvokeAtomicRedTeam testing frameworks. The continues to keep the possible database
of tests growing and relevant with updated techniques and tests.

1.6. Experiment Structure

Target hosts must be chosen, and a testing methodology must be selected. This
test was completed in a virtual lab through VMWare Workstation Pro 17 using a default
configuration Windows 11 [10.0.22621.2506 (WinBuild.160101.0800)] host and a
Windows Server 2022 [10.0.20348.2031 (WinBuild.160101.0800) host for Microsoft
Defender and Wazuh. Before testing, all hosts were updated to the latest default patches.

Figure 3: Testing Environment Map

Configuring Microsoft Defender for Business was a relatively easy process. A
requirement to test Microsoft Defender for Business was the creation of a Microsoft
tenet, built with two test users. During the build process, a target user,
[email protected], signed in to the Windows 11 Defender testing
host. This connection allows the Windows 11 Defender policies to become managed by
Microsoft Intune and through the “security.microsoft.com” portal. When these steps
were completed, the agent was deployed to the Windows 11 Defender testing host. The
agent for the Windows 2022 Server Defender testing host was downloaded from the
Microsoft website and installed manually through the executable. After the installation
of the Defender agent on the Server, the security.microsoft.com portal was reviewed to
ensure both endpoints were connected and had policies deployed.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 9

The Wazuh deployment consisted of downloading the Wazuh server OVA from
Wazuh’s site and deployed into the lab environment using default configurations. After
the server build, agents could be downloaded from the Wazuh dashboard by clicking,
Add Agents”. The agents were added through a PowerShell command generated by the
Wazuh Dashboard. Once the Wazuh agents were deployed, the Wazuh service needed to
be started on each machine. By default, Windows Defender was still enabled, but it
needed to be disabled. This was done through the Windows Security GUI. During
testing, it was noted that Defender was still active and required manual intervention to
disable the product completely.
For Atomic Red Team test execution and the creation of “attacker” activity, this
testing will consist of Atomic Red Team atomics being executed through the Invoke-
Atomic framework. The Atomic Red Team tool consists of a GitHub repository
maintained by Red Canary (https://github.com/redcanaryco/atomic-red-team) that is
organized into MITRE ATT&CK Technique folders containing “atomic” tests consisting
of a markdown (MD) file and a YAML file. The atomic tests can be executed manually
by copying the relevant commands and code and modifying the input variables as needed.
Alternatively, they may be executed semi-automatically through the Invoke-
AtomicRedTeam framework. The Invoke-AtomicRedTeam framework is a GitHub
repository (https://github.com/redcanaryco/invoke-atomicredteam) containing a
PowerShell-based execution framework that interprets the YAML code from the atomic
tests and performs those actions on the target host. To effectively test the detection
capability of EDR tools, the execution of the atomics will require administrative
permissions from a PowerShell shell. Based upon the knowledge of Akira's activity and
the desire for a comprehensive set of tests to gauge the alerting for Defender for Business
and Wazuh on both a Windows 11 host and a Server 2022 atomics from each phase of the
MITRE ATT&CK Enterprise framework were chosen.

2. Findings and Discussion

To effectively test the EDR’s response to activity mimicking Akira ransomware, the
experiment needs to be set up to closely follow the known Tactics, Techniques, and
Procedures for Akira. To test the configurations, Akira activity was mapped to the

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 10

MITRE ATT&CK framework through the MITRE Navigator, then Atomic Red Team
tests were overlayed, and the tactics with both MITRE Akira activity and InvokeAtomic
tests were selected. If a technique was used across multiple tactics, then the test
execution took place in the earliest available tactic.
The following sections are structured to follow the MITRE ATT&CK framework and
review the tests executed along with activity seen from the default EDR configuration.
Both Defender for Business and Wazuh capture low-level system event data that is
searchable within the consoles of each tool. Defender for Business requires navigating
the Web console to locate low-level alerts or event details. Wazuh provides a Security
Event and Incident Monitoring (SIEM) solution, which is required to deploy the EDR
agent. Both structures are far better than any antivirus or endpoint detection solution that
keeps logs locally, as threat actors will delete them to cover their tracks (MITRE 2023).

2.1. TA0001: Initial Access

Initial Access is the tactic threat actors use to gain a foothold in an environment and
focus on the users. The techniques covered within this Tactic are T1566: Phishing,
T1078.001: Valid Accounts: Default Accounts, and T1078.003 Valid Accounts: Local
Accounts. Akira has been known to leverage compromised accounts through single-
factor logins (username and password) to gain access to organizations (Secureworks,
2023). `Figure 4 provides an overview of the testing conclusions from the Initial Access
atomic tests.

Tactic and Test 1=Failed X=Success EDR Popup

TA0001: Initial Access Defender Wazuh
Windows
T1566: Phishing 11 Server 2022 Windows 11 Server 2022
Atomic Test 1: Download
Macro-Enabled Phishing
Attachment X X X X

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 11

Atomic Test 2: Word spawned a

command shell and used an IP
address in the command line X X X X

T1078.001:Valid Accounts:
Default Accounts
Atomic Test 1: Enable Guest
account with RDP capability and
admin privileges X X X X
Atomic Test 2: Activate Guest
Account X X X X

T1078.003 Valid Accounts:

Local Accounts
Atomic Test 1: Create local
account with admin privileges X X X X
Atomic Test 6: WinPwn - Loot
local Credentials - PowerShell
kittie 1 1 1 1
Atomic Test 7: WinPwn - Loot
local Credentials - Safetykatz 1 1 1 1
Atomic Test 13: Use PsExec to
elevate to NT
Authority\SYSTEM account X X X X
Figure 4: TA0001: Initial Access Results
Within the Initial Access tactic, the testing results were the same across all tests, with
preventions except for the activity for looting local credentials was blocked by the
antivirus due to the script containing malicious content.
{$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th
1s ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 12

This script contains malicious content and has been blocked by

your antivirus software.
+ CategoryInfo : ParserError: (:) [],
ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent

This blocking alert even happened on the Wazuh targets. This shows that
Windows Defender was not fully disabled, even when configured to a disabled state.

2.2. TA0002: Execution

According to MITRE, “Execution consists of techniques that result in adversary-
controlled code running on a local or remote system”, (MITRE, 2019) Within the
Execution Tactic, the following techniques were tested: T1059: Command and Scripting
Interpreter, T1106: Native API, and T1047: Windows Management Instrumentation
(WMI). Akira is known to execute PowerShell Commands to delete system volume
shadow copies Like,
powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-
WmiObject, (Andres, 2024).
Figure 5 provides a summary of the tests executed to test the Execution tactic.

Tactic and Test 1=Failed X=Success EDR Popup

TA0002: Execution Defender Wazuh
T1059: Command and
Scripting Interpreter Windows 11 Server 2022 Windows 11 Server 2022
Atomic Test 4: Mimikatz
- Cradlecraft
PsSendKeys 1 1 1 1
Atomic Test 8:
Powershell invoke
mshta.exe download 1 1 1 1
Atomic Test 17:
PowerShell Command
Execution X X X X
Atomic Test 18:
PowerShell Invoke
Known Malicious
Cmdlets 1 1 1 1

T1106: Native API

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 13

Atomic Test 1: Execution

through API -
CreateProcess X X X X
Atomic Test 3: WinPwn
- Get SYSTEM shell -
Bind System Shell using
CreateProcess technique 1 1 1 1
Atomic Test 4: WinPwn
- Get SYSTEM shell -
Pop System Shell using
NamedPipe
Impersonation technique 1 1 1 1
Atomic Test 5: Run
Shellcode via Syscall in
Go X X X X

T1047: Windows
Management
Instrumentation
Atomic Test 1: WMI
Reconnaissance Users X X X X
Atomic Test 2: WMI
Reconnaissance
Processes X X X X
Atomic Test 3: WMI
Reconnaissance List
software X X X X
Atomic Test 4: WMI
Reconnaissance List
Remote Services X X X X
Atomic Test 5: WMI
Execute Local Process X X X X
Atomic Test 7: Create a
Process using WMI
Query and an Encoded
Command X X X X
Atomic Test 9: WMI
Execute rundll32 1 1 1 1
Figure 5: Execution Results
Within this set of tests, the WMI Execute rundll32 atomic test consistently created
alerts from the following command:

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 14

wmic /node:127.0.0.1 process call create "rundll32.exe

\"/Users/b/AtomicRedTeam/atomics\..\ExternalPayloads\calc.dll\"
StartW"

for all of the EDR products Outside of this, the WMI reconnaissance of users on the
Windows 11 Defender target created a Windows Defender popup for all hosts, including
the Wazuh hosts.

2.3. TA0003: Persistence

According to the CISA AA24-109, Akira will use Mimicatz and LaZagne to
access system credentials (CISA,2024). This is tested through T1003.001: OS Credential
Dumping: LSASS Memory. Mechanisms of persistence vary between threat actors;
however, operating system credentials will always be a target of threat actors for both
persistence and privilege escalation. Figure 6 provides the results of the Persistence
atomic testing.

Tactic and Test 1=Failed X=Success EDR Popup

TA0003: Persistence Defender Wazuh
T1003.001: OS Credential Dumping: Windows Server
LSASS Memory 11 Server 2022 Windows 11 2022
Atomic Test 2: Dump LSASS.exe
Memory using comsvcs.dll 1 1 1 1
Atomic Test 9: Create Mini Dump of
LSASS.exe using ProcDump 1 1 1 1
Atomic Test 10: Powershell Mimikatz 1 1 1 1
Atomic Test 11: Dump LSASS with
createdump.exe from .Net v5 1 1* 1* 1*
Atomic Test 12: Dump LSASS.exe
using imported Microsoft DLLs X 1 1 1
Atomic Test 13: Dump LSASS.exe
using lolbin rdrleakdiag.exe 1 1 1 1
Figure 6: Persistence Results
Only the Windows 11 Defender host has an installed version of .NET v5 except the
preventing Atomic Test 11 from executing on all the other hosts. This tactic had the
highest concentration of popup alerts on the hosts. There was a single successful
execution on the Windows 11 Defender host for Atomic Test 12: Dump LSASS.exe
using imported Microsoft DLLs.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 15

2.4. TA0004: Privilege Escalation

Akira will use T1055: Process Injection, like Conti, by injecting a dll into memory and
executing it. Tests for Go process injection were chosen due to the pervasiveness of
Cobalt Strike within the threat actor and penetration testing community.

Tactic and Test 1=Failed X=Success EDR Popup

TA0004: Privilege Escalation Defender Wazuh
Server
T1055: Process Injection Windows 11 Server 2022 Windows 11 2022
Atomic Test 2: Remote Process
Injection in LSASS via mimikatz 1 1 1 1
Atomic Test 3: Section View
Injection X X X X
Atomic Test 6: Process Injection with
Go using UuidFromStringA WinAPI X X X X
Atomic Test 7: Process Injection with
Go using EtwpCreateEtwThread
WinAPI 1 X X X
Atomic Test 8: Remote Process
Injection with Go using
RtlCreateUserThread WinAPI 1 X 1 1
Atomic Test 9: Remote Process
Injection with Go using
CreateRemoteThread WinAPI 1 1 1 1
Atomic Test 10: Remote Process
Injection with Go using
CreateRemoteThread WinAPI
(Natively) 1 1 1 1
Atomic Test 11: Process Injection
with Go using CreateThread WinAPI X X X X
Atomic Test 12: Process Injection
with Go using CreateThread WinAPI
(Natively) 1 X X X
Atomic Test 13: UUID custom
process Injection X X X X
Figure 7: Privilege Escalation Results
The process injection tests had a split result for test success. There were two (2)
popups on the Windows 11 Defender target. There were a few commonalities in the
testing failures across all hosts, Atomic Test 9: Remote Process Injection with Go using
CreateRemoteThread WinAPI and Atomic Test 10: Remote Process Injection with Go

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 16

using CreateRemoteThread WinAPI (Natively). A reliable success across all systems was
the UUID custom process injection.

2.5. TA0005: Defense Evasion

There are many techniques that ransomware uses to evade defenses. Akira’s
techniques as reported by Qualys, are disabling Windows Defender, Registry
modifications, and disabling Antivirus and EDR using Terminator (Pradhan 2024)
Typically, ransomware strains will use payload encoding and encryption to prevent
inspection by Antivirus tools and EDR software will use T1140: Deobfuscate/Decode
Files or Information at payload runtime. Malware will use T1027: Obfuscated Files or
Information to prevent payload inspection by antivirus and EDR software. Akira will
disable or kill the Antivirus or EDR tools T1562.001: Impair Defenses: Disable or
Modify Tools (CISA, 2024). Figure 8 provides the summary of the detections for
Defense Evasion.

EDR
Tactic and Test 1=Failed X=Success Popup
TA0005: Defense Evasion Defender Wazuh
Windows Server Windows Server
T1140: Deobfuscate/Decode Files or Information 11 2022 11 2022
Atomic Test 1: Deobfuscate/Decode Files Or
Information X X X X

T1027: Obfuscated Files or Information

Atomic Test 2: Execute base64-encoded PowerShell X X X X
Atomic Test 3: Execute base64-encoded PowerShell
from Windows Registry X X X X
Atomic Test 7: Obfuscated Command in PowerShell X X X X

T1562.001: Impair Defenses: Disable or Modify

Tools
Atomic Test 13: AMSI Bypass - AMSI InitFailed 1 1 1 1
Atomic Test 14: AMSI Bypass - Remove AMSI
Provider Reg Key X X X X
Atomic Test 29: Kill antimalware protected
processes using Backstab 1 X X X

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 17

Figure 8: Defense Evasion Results

Removing the Antimalware Scan Interface (AMSI) provider Registry key worked
across all hosts to impair the defenses in scanning for malware to protect against dynamic
script-based malware. Killing the anti-malware protected processes using Backstab also
worked across multiple hosts with no popup except for the Windows 11 Defender host.

2.6. TA0006: Credential Access

Akira has been reported to use Mimikatz, with the capability to scrape operating
system credentials, to Steal or Forge Kerberos Tickets. According to FBI and open-
source reporting, Akira threat actors leverage post-exploitation attack techniques, such as
Kerberoasting, to extract credentials stored in the process memory of the Local Security
Authority Subsystem Service (LSASS) [T1003.001] (CISA, 2024).
EDR
Tactic and Test 1=Failed X=Success Popup
TA0006: Credential Access Defender Wazuh
Windows Server Windows Server
T1558: Steal or Forge Kerberos Tickets 11 2022 11 2022
Atomic Test 1: Crafting Active Directory golden
tickets with mimikatz 1* 1* 1* 1*
Figure 9: Credential Access Results
Crafting Active Directory golden tickets for all hosts generated an access denied
error within the PowerShell window except for the Windows 11 Defender host, which
generated a popup alert from Defender for Business. Within each host, the PowerShell
window was forcefully closed with the following error:
Exception calling "Start" with "0" argument(s): "Access is
denied"
At
C:\Users\Administrator\Documents\WindowsPowerShell\Modules\Invoke
-AtomicRedTeam\2.1.0\Private\Invoke
-Process.ps1:45 char:17
+ $process.Start() > $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [],
MethodInvocationException

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 18

+ FullyQualifiedErrorId : Win32Exception

2.7. TA0007: Discovery

For ransomware to be effective, multiple types of discovery need to be
leveraged. Akira would want to look for information on the following: where it can
spread within the network, what files exist on each machine, what processes for backup
or security exist, and whether there are any network shares to encrypt. The techniques
for TA007: Discovery were: T1083: File and Directory Discovery, T1135: Network
Share Discovery, T1057: Process Discovery, T1049: System Network Connections
Discovery, and T1018: Remote System Discovery. Each of these test results are outlined
in Figure 10, below.

EDR
Tactic and Test 1=Failed X=Success Popup
TA0007: Discovery Defender Wazuh
Server Windows Server
T1083: File and Directory Discovery Windows 11 2022 11 2022
Atomic Test 2: File and Directory
Discovery (PowerShell) X X X X
Atomic Test 5: Simulating MAZE
Directory Enumeration X X X X

T1135: Network Share Discovery

Atomic Test 5: Network Share
Discovery PowerShell X X X X
Atomic Test 6: View available share
drives X X X X

T1057: Process Discovery

Atomic Test 3: Process Discovery -
Get-Process X X X X
Atomic Test 4: Process Discovery -
get-wmiObject X X X X
Atomic Test 5: Process Discovery -
wmic process X X X X
Atomic Test 8: Process Discovery -
PC Hunter X 1 1 1

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 19

T1049: System Network Connections

Discovery
Atomic Test 1: System Network
Connections Discovery X X X X
Atomic Test 2: System Network
Connections Discovery with
PowerShell X X X X

T1018: Remote System Discovery

Atomic Test 1: Remote System
Discovery - net 1* 1* 1* 1*
Atomic Test 2: Remote System
Discovery - net group Domain
Computers 1* 1* 1* 1*
Atomic Test 10: Adfind - Enumerate
Active Directory Computer Objects 1* 1* 1* 1*
Figure 10:Discovery Results
The only activity that alerted was the PC Hunter activity, which caused an alert from just
starting the PC Hunter executable from the Temp folder,
Start-Process -FilePath
"C:\Temp\ExternalPayloads\PCHunter_free\PChunter64.exe".

Configuring a domain was outside of the scope of this test, so there was no domain
configured, causing the T1018: Remote System Discovery activity to be unsuccessful as
there were no additional machines to discover.

2.8. TA0008: Lateral Movement

Lateral movement within a network will leverage any known networking protocol
that can move data between machines. These known networking paths are possible abuse
paths for Akira. Testing the alerting for T1021.001: Remote Services: Remote Desktop
Protocol (RDP) and T1021.002: Remote Services: SMB/Windows Admin Shares will
cover two common enterprise networking protocols used. Within Figure 11, the atomic
test results are shown.
Tactic and Test 1=Failed X=Success EDR Popup
TA0008: Lateral Movement Defender Wazuh
T1021.001: Remote Services: Remote Windows Server Windows Server
Desktop Protocol 11 2022 11 2022
Atomic Test 2: Changing RDP Port to Non-
Standard Port via Powershell X X X X

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 20

Atomic Test 4: Disable NLA for RDP via

Command Prompt X X X X

T1021.002: Remote Services:

SMB/Windows Admin Shares
Atomic Test 1: Map admin share X 1 1 1
Atomic Test 2: Map Admin Share
PowerShell X X X X
Figure 11: Lateral Movement Results
Using SMB to map the administrative shares failed through Command Prompt
cmd.exe /c "net use \\Target\C$ P@ssw0rd1
/u:DOMAIN\Administrator”

but mapping a share worked through PowerShell,

New-PSDrive -name g -psprovider filesystem -root \\Target\C$

for all machines except for Windows 11 Defender.

2.9. TA0009: Collection

Once a ransomware strain has identified data to exfiltrate, it will use a compression
mechanism such as T1560: Archive Collected Data to shrink the data size. Compressing
data prior to exfiltration is a very common activity; however, the existence of
compression tools is not an indicator of malicious activity. Figure 12 contains the testing
results for the Collection atomics.

TA0009: Collection Defender Wazuh

T1560: Archive Collected Windows Windows
Data 11 Server 2022 11 Server 2022
Atomic Test 1: Compress
Data for Exfiltration With
PowerShell 1 1 1 1
Atomic Test 2: Compress
Data and lock with password
for Exfiltration with winrar X 1 1 1
Figure 12: Collection Results
In every instance of these tests, they failed. To complete T1560 Atomic Test 2, WinRAR
was downloaded manually, and that activity was only successful on the Windows 11
Defender target.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 21

2.10. TA0011: Command and Control

According to Arctic Wolf, Akira Command and Control activity is performed
through AnyDesk (Campbell, 2023). Akira will use T1219: Remote Access Software to
control other machines and spread the ransomware across the network the normal
administrative remote management tool, AnyDesk so this atomic was chosen to test the
download and installation process. These testing results are summarized in Figure 13.

Tactic and Test 1=Failed X=Success EDR Popup

TA0011: Command and Control Defender Wazuh
T1219: Remote Access Software Windows 11 Server 2022 Windows 11 Server 2022
Atomic Test 2: AnyDesk Files
Detected Test on Windows X X X X
Figure 13: Command & Control Results
Across all targets, AnyDesk free was able to be installed and executed. There was
no full connection to a computer using AnyDesk as that was outside the scope of this test.

2.11. TA0010: Exfiltration

Akira threat actors use a “double extortion model” (CISA, 2024) where business
data is exfiltrated by threat actors prior to the encryption of the environment. Then, the
threat actors threaten to release the sensitive information if the ransom is unpaid. Not
only will an organization have to deal with the recovery from a ransomware attack, but
they will also need to be concerned with the reputational damage caused by the release of
data. This T1567: Exfiltration Over Web Service is a required step in the double
extortion scheme that Akira uses. There were no Atomic Red Team tests for this
technique, so it was untested.

Tactic and Test 1=Failed X=Success Window Popup

TA0010: Exfiltration Defender Wazuh
Server
T1567: Exfiltration Over Web Service Windows 11 Server 2022 Windows 11 2022
*No Atomic Tests N/A N/A N/A N/A
Figure 14: Exfiltration Results

2.12. TA0040: Impact

The final technique in the Akira ransomware would be T1486: Data Encrypted for
Impact, where the files will be encrypted with a “. akira” extension and a ransom note

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 22

left. Akira will use a “hybrid encryption scheme to lock the data. Combining a
ChaCha20 stream cipher with RSA public-key cryptosystem for speed and secure key
exchange” (CISA, 2024). To T1490: Inhibit System Recovery, the threat actor will
delete the Volume Shadow Copies through PowerShell and stop the backup services
T1489: Service Stop to hamper system recovery. Finally, Akira will remove or change
the administrative passwords to slow restoration efforts. The results of the Impact testing
are shown in Figure 15.

Window
Tactic and Test 1=Failed X=Success Popup
TA0040: Impact Defender Wazuh
Windows Server Windows Server
T1486: Data Encrypted for Impact 11 2022 11 2022
Atomic Test 5: PureLocker Ransom Note X X X X
Atomic Test 10: Akira Ransomware drop Files with
.akira Extension and Ransomnote 1 1 1 1

T1490: Inhibit System Recovery

Manual Test: powershell.exe -Command "Get-
WmiObject Win32_Shadowcopy | Remove-
WmiObject" X X X X

T1531: Account Access Removal

Atomic Test 2: Delete User - Windows X X X X

T1489: Service Stop

Atomic Test 1: Windows - Stop service using Service
Controller X X X X
Atomic Test 2: Windows - Stop service using net.exe X X X X
Atomic Test 3: Windows - Stop service by killing
process X X X X
Figure 15: Impact Results
The only alerted activity within this Tactic was dropping Akira files and the
ransom note. All other techniques were successful within this Tactic.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 23

3. Recommendations and Implications

From the research above, it is proven there is a base level of alerting provided by
Defender for Business, but on the other hand, Wazuh requires much more time to set up
and tune and does not alert for known TTPs unless configured. Often, the configuration
time is one of the main differences between the paid product and the open-source
software. Security teams should uncover the gaps in alerting and prevention by testing
the deployment and configuration of security tools. However, the choice of paid versus
open-source is made by each organization to determine which path is right for
them. Organizations need to know what tactics the alerting structures cover across all
tools. Creating an MITRE-mapped testing framework ensures that any gaps are
uncovered and that long-term decisions for the security of the organization’s data may be
made.

3.1. Recommendations
For security professionals, testing deployments of tools is the only way to ensure
appropriate alerting severity and alert flow. This can be done in many ways. However,
the team must ensure the method is repeatable and that the tests ensure a standard test
methodology across all tools. Atomic Red Team should not be used just for testing
endpoint tools. Within this framework, there is a reliance on downloaded tools for
certain atomics; network security controls would catch these
downloads. InvokeAtomicRedTeam contains tests focused on DNS and other network
activity that were not executed during this testing.

Ensuring the Endpoint Detection and Response tool is operating effectively

requires reviewing the alerting created, along with the severity of the alert, in
combination with the response capability provided by the tool. One of the powers of the
EDR tool is the ability to quarantine devices that have suspicious activity
automatically. This can mean the difference between Incident Response post encryption
and providing a single user a new machine as their previous one was infected with
malware.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 24

3.2. Implications for Future Research

As threats to organizations continue to evolve and as threat actors continue the
development of EDR bypasses, defenders should be working on testing security tools to
provide advanced alerting of emergent activity. To facilitate this, the defensive security
community should develop information-sharing mechanisms to collaborate on detection
rules. There have been some attempts through GitHub to provide YARA rules, but none
have received the security community buy-in to become the single source of data for
these rules. Due to timing and testing constraints, this testing was completed with
standalone target machines and should be repeated with a domain-joined workstation and
server.

4. Conclusion
The two tools, Microsoft Defender for Business and Wazuh perform similar
functions although they go about their jobs in completely different ways. Between the
two tools, after simulating Akira threat actor activity, there was no similar configuration
methodology identified. Microsoft Defender for Business will not allow any
customization of the pre-built ruleset to change severity of alerts. Administrators have
control over the policies for exclusions but not the exact rules or the severity of the
alerting from the security.microsoft.com portal. When this solution is implemented, the
agent is downloaded and integrated into the Microsoft Defender console, and events from
the machine are ingested. Microsoft is responsible for updating the detections and uses
its immense dataset to hunt for activity.

Wazuh on the other hand provides an immense ability for customization using
simple config file construction and YARA rules for security detections. This provides
immense extensibility at then expense of ease of deployment. A more advanced
administrator would need to configure this product due to the amount of command line
administration needed. No matter the tool that is chosen, testing of tool should be
performed to ensure the EDR is operating correctly. Secondly, it provides an opportunity
for the security teams to understand what alerting for specific activity will look like.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 25

Finally, it provides an opportunity to review and verify the configured alerting for any
known threat actor tactics that would interest the organization.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 26

References
Andres, J., & Vieda, B. (2024, May 2). A spotlight on Akira Ransomware from X-Force

Incident Response and Threat Intelligence. Security Intelligence.

https://securityintelligence.com/x-force/spotlight-akira-ransomware-x-force/

Campbell, S. (2023, November 3). Conti and akira: Chained together. Arctic Wolf.

https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/

Red Canary. (n.d.). About Atomic Red Team. Atomic Red Team.

https://atomicredteam.io/atomic-red-team/

Chrisda. (n.d.). What is Microsoft Defender for Business? - Microsoft defender for

business. Microsoft Defender for Business | Microsoft Learn.

https://learn.microsoft.com/en-us/defender-business/mdb-overview

CISA. (2024, April 18). #stopransomware: Akira Ransomware: CISA. Cybersecurity and

Infrastructure Security Agency CISA. https://www.cisa.gov/news-

events/cybersecurity-advisories/aa24-109a

Dale, C. (2021, November). Endpoint Detection and Response: Are We There Yet?.

SANS Information Security White Papers. https://www.sans.org/white-

papers/endpoint-detection-response-there-yet/

Denisebmsft. (2024, April 24). Overview of endpoint detection and response capabilities

- Microsoft defender for endpoint. capabilities - Microsoft Defender for Endpoint

| Microsoft Learn. https://learn.microsoft.com/en-us/defender-endpoint/overview-

endpoint-detection-response

Microsoft Security. (2024). What is EDR? endpoint detection and response: Microsoft

security. What Is EDR? Endpoint Detection and Response | Microsoft Security.

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 27

https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-

endpoint-detection-response

MITRE. (2019, July 19). Execution. Execution, Tactic TA0002 - Enterprise | MITRE

ATT&CK®. https://attack.mitre.org/tactics/TA0002/

Fowler, A. (2023). Who Needs a Pentest: Validating the Configuration of an EDR

Solution Using the MITRE ATT&CK Framework. SANS Information Security

White Papers. https://sansorg.egnyte.com/dl/GzeRcuHWuC

Karantzas, G., & Patsakis, C. (2021). An Empirical Assessment of Endpoint Detection

and Response Systems against Advanced Persistent Threats Attack Vectors.

Journal of Cybersecurity and Privacy, 1(3), 387–421.

https://doi.org/https://doi.org/10.3390/jcp1030021

MITRE. (2023, April 11). Indicator removal. Indicator Removal, Technique T1070 -

Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1070/

MITRE. (2024, February 20). Akira. Akira, GOLD SAHARA, PUNK SPIDER, Group

G1024 | MITRE ATT&CK®. https://attack.mitre.org/groups/G1024/

Pradhan, A. (2024, October 2). Threat brief: Understanding akira ransomware. Qualys

Security Blog. https://blog.qualys.com/vulnerabilities-threat-

research/2024/10/02/threat-brief-understanding-akira-ransomware

Secureworks. (n.d.). Gold Sahara. https://www.secureworks.com/research/threat-

profiles/gold-sahara

Wazuh, W. (2024, September 5). Installation guide · Wazuh Documentation. Wazuh

documentation. https://documentation.wazuh.com/current/installation-

guide/index.html

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 28

Appendix
List of Atomic Test Technical Tests Executed

TA0001: Initial Access

T1566: Phishing
Atomic Test 1: Download Macro-Enabled Phishing Attachment
Atomic Test 2: Word spawned a command shell and used an IP address in the command line

T1078.001:Valid Accounts: Default Accounts

Atomic Test 1: Enable Guest account with RDP capability and admin privileges
Atomic Test 2: Activate Guest Account

T1078.003 Valid Accounts: Local Accounts

Atomic Test 1: Create local account with admin privileges
Atomic Test 6: WinPwn - Loot local Credentials - PowerShell kittie
Atomic Test 7: WinPwn - Loot local Credentials - Safetykatz
Atomic Test 13: Use PsExec to elevate to NT Authority\SYSTEM account

TA0002: Execution
T1059: Command and Scripting Interpreter
Atomic Test 4: Mimikatz - Cradlecraft PsSendKeys
Atomic Test 8: Powershell invoke mshta.exe download
Atomic Test 17: PowerShell Command Execution
Atomic Test 18: PowerShell Invoke Known Malicious Cmdlets

T1106: Native API

Atomic Test 1: Execution through API - CreateProcess
Atomic Test 3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess
technique
Atomic Test 4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe
Impersonation technique
Atomic Test 5: Run Shellcode via Syscall in Go

T1047: Windows Management Instrumentation

Atomic Test 1: WMI Reconnaissance Users
Atomic Test 2: WMI Reconnaissance Processes
Atomic Test 3: WMI Reconnaissance List software
Atomic Test 4: WMI Reconnaissance List Remote Services

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 29

Atomic Test 5: WMI Execute Local Process

Atomic Test 7: Create a Process using WMI Query and an Encoded Command
Atomic Test 9: WMI Execute rundll32

TA0003: Persistence
T1078: Valid Accounts
Previously Tested

T1003.001: OS Credential Dumping: LSASS Memory

Atomic Test 2: Dump LSASS.exe Memory using comsvcs.dll
Atomic Test 9: Create Mini Dump of LSASS.exe using ProcDump
Atomic Test 10: Powershell Mimikatz
Atomic Test 11: Dump LSASS with createdump.exe from .Net v5
Atomic Test 12: Dump LSASS.exe using imported Microsoft DLLs
Atomic Test 13: Dump LSASS.exe using lolbin rdrleakdiag.exe
Manual Test-rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process
lsass).Id) C:\windows\temp\lsass.dmp full

TA0005: Defense Evasion

T1140: Deobfuscate/Decode Files or Information
Atomic Test 1: Deobfuscate/Decode Files Or Information

T1027: Obfuscated Files or Information

Atomic Test 2: Execute base64-encoded PowerShell
Atomic Test 3: Execute base64-encoded PowerShell from Windows Registry
Atomic Test 7: Obfuscated Command in PowerShell

T1055: Process Injection

Previously Tested

T1078: Valid Accounts

Previously Tested

T1562.001: Impair Defenses: Disable or Modify Tools

Atomic Test 13: AMSI Bypass - AMSI InitFailed
Atomic Test 14: AMSI Bypass - Remove AMSI Provider Reg Key
Atomic Test 29: Kill antimalware protected processes using Backstab

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 30

TA0006: Credential Access

T1558: Steal or Forge Kerberos Tickets
Atomic Test 1: Crafting Active Directory golden tickets with mimikatz

TA0007: Discovery
T1083: File and Directory Discovery
Atomic Test 2: File and Directory Discovery (PowerShell)
Atomic Test 5: Simulating MAZE Directory Enumeration

T1135: Network Share Discovery

Atomic Test 5: Network Share Discovery PowerShell
Atomic Test 6: View available share drives

T1057: Process Discovery

Atomic Test 3: Process Discovery - Get-Process
Atomic Test 4: Process Discovery - get-wmiObject
Atomic Test 5: Process Discovery - wmic process
Atomic Test 8: Process Discovery - PC Hunter

T1049: System Network Connections Discovery

Atomic Test 1: System Network Connections Discovery
Atomic Test 2: System Network Connections Discovery with PowerShell

T1018: Remote System Discovery

Atomic Test 1: Remote System Discovery - net
Atomic Test 2: Remote System Discovery - net group Domain Computers
Atomic Test 10: Adfind - Enumerate Active Directory Computer Objects

TA0008: Lateral Movement

T1021.001: Remote Services: Remote Desktop Protocol
Atomic Test 2: Changing RDP Port to Non Standard Port via Powershell
Atomic Test 4: Disable NLA for RDP via Command Prompt

T1021.002: Remote Services: SMB/Windows Admin Shares

Atomic Test 1: Map admin share
Atomic Test 2: Map Admin Share PowerShell

*T1080: Taint Shared Content

Ben Powell [email protected]

 Proof is in the Pudding: EDR Configuration versus Ransomware 31

*No Atomic Tests

TA0009: Collection
T1560: Archive Collected Data
Atomic Test 1: Compress Data for Exfiltration With PowerShell
Atomic Test 2: Compress Data and lock with password for Exfiltration with winrar

*T1213: Data from Information Repositories

*No Atomic Tests

TA0011: Command and Control

T1219: Remote Access Software
Atomic Test 2: AnyDesk Files Detected Test on Windows

TA0010: Exfiltration
T1567: Exfiltration Over Web Service
*No Atomic Tests

TA0040: Impact
T1486: Data Encrypted for Impact
Atomic Test 5: PureLocker Ransom Note
Atomic Test 10: Akira Ransomware drop Files with .akira Extension and Ransomnote

T1490: Inhibit System Recovery

Manual Test: powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-
WmiObject"

T1531: Account Access Removal

Atomic Test 2: Delete User - Windows

T1489: Service Stop

Atomic Test 1: Windows - Stop service using Service Controller
Atomic Test 2: Windows - Stop service using net.exe
Atomic Test 3: Windows - Stop service by killing process

Ben Powell [email protected]