Modern Attack Chains on Endpoints

How a modern attack chain flows through the endpoint

A modern targeted attack against an M365 E5 environment with default endpoint security follows a predictable chain. Each phase exploits a specific gap in the unconfigured stack, and each phase has a specific control that interrupts it — if that control is actually deployed and enforced.

Phase 1 — Initial Access. The attack starts with a phishing email containing a malicious attachment (macro-enabled document, HTML smuggling payload, ISO container with embedded LNK file) or a link to a credential harvesting page. At Northgate Engineering, CHAIN-ENDPOINT used an HTML smuggling payload that delivered an ISO file. The user mounted the ISO — bypassing Mark of the Web, since files inside ISO containers do not inherit the Zone.Identifier ADS — and double-clicked the LNK file inside. The endpoint security controls that interrupt initial access: ASR rules blocking Office applications from creating child processes, blocking JavaScript and VBScript from launching downloaded content. Network protection blocking connections to known malicious domains. SmartScreen blocking downloads from untrusted sources. At NE, none were in block mode. The payload delivered without interference.

Phase 2 — Execution. The LNK file launched mshta.exe to execute an HTA payload, which launched PowerShell with an encoded command that downloaded and executed the Cobalt Strike stager in memory. Four LOLBins in sequence — explorer, mshta, PowerShell, rundll32 — zero standalone executables on disk. The controls that interrupt execution: ASR rules blocking Win32 API calls from Office macros and blocking execution of potentially obfuscated scripts. AMSI scanning script content before execution. AV cloud protection analyzing the PowerShell behavior. WDAC blocking unsigned executables. At NE, AMSI was enabled at default and caught the simplest obfuscation — but the stager used a reflection-based AMSI bypass that patched amsi.dll in memory before loading the actual payload. The execution succeeded.

Phase 3 — Persistence. The Cobalt Strike operator created a scheduled task using schtasks.exe /create that runs on user logon, executing a PowerShell command to re-download and re-inject the beacon. A second mechanism used a registry run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to an encoded PowerShell command. Both use legitimate Windows mechanisms. The controls that interrupt persistence: ASR rules blocking persistence through WMI event subscriptions. EDR detection alerting on scheduled task creation from unusual parent processes and registry run key modifications by scripting engines. Sysmon logging Event ID 12 and 13 for registry modifications with full command line detail. At NE, no ASR rules protecting against persistence were in block mode, Sysmon was not deployed, and no custom detection rules existed for anomalous scheduled task creation.

The later phases: escalation, credential theft, lateral movement, objective

Phase 4 — Privilege Escalation. The Cobalt Strike operator needed local admin rights to dump credentials from LSASS. The operator exploited PrintNightmare (CVE-2021-34527) on an unpatched print spooler service to escalate from user context to SYSTEM. The controls that interrupt privilege escalation: exploit protection settings — ASLR, DEP, CFG enforced per-application rather than at system defaults. Vulnerability management identifying and remediating the print spooler vulnerability through Defender Vulnerability Management recommendations. EDR detection alerting on exploitation patterns such as unusual child processes spawned by spoolsv.exe. At NE, exploit protection was at Windows defaults, and the vulnerability had been flagged in Defender Vulnerability Management recommendations for four months without remediation.

Phase 5 — Credential Access. With SYSTEM privileges, the operator dumped LSASS process memory using comsvcs.dll MiniDump — rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [LSASS PID] C:\temp\dump.bin full. This extracted NTLM hashes and Kerberos tickets for all currently authenticated users, including domain admin accounts that had recently signed into the endpoint. The controls that interrupt credential access: the ASR rule "Block credential stealing from the Windows local security authority subsystem," which blocks non-Microsoft processes from opening LSASS. Credential Guard, which isolates LSASS secrets in a virtualization-based security container so that even SYSTEM-level memory dumps cannot extract the plaintext credentials. RunAsPPL, which protects the LSASS process as Protected Process Light, preventing unsigned code from injecting into or reading LSASS memory. At NE, the LSASS ASR rule was in audit mode, Credential Guard was not enabled, and RunAsPPL was not configured. The credential dump succeeded in under three seconds.

Phase 6 — Lateral Movement. With domain admin credentials, the operator used WMI to remotely execute commands on the file server SRV-NGE-FS01 and two additional endpoints. WMI remote execution creates a process on the target host under the credentials supplied by the attacker — it looks like a legitimate administrative action unless you have detection rules that baseline normal WMI usage patterns. The controls that interrupt lateral movement: EDR custom detection rules alerting on WMI remote process creation from workstation sources, PsExec service installation on targets that should not receive remote execution, and unusual Type 3 logon events between workstations. The ASR rule "Block process creations originating from PSExec and WMI commands" on target endpoints. Network-level detection alerting on SMB traffic between workstations, which should not occur in normal operations. At NE, the WMI ASR rule was not configured, and no custom detection rule existed for workstation-to-workstation remote execution.

Phase 7 — Objective. With access to the file server and lateral reach across the network, the attacker staged sensitive engineering files in a temporary directory, compressed them using the built-in tar.exe utility, and exfiltrated them over HTTPS to a cloud storage endpoint that blended with normal business traffic. The exfiltration used legitimate protocols on standard ports — indistinguishable from normal web browsing without deep packet inspection or content-aware DLP policies. The controls at this phase: Controlled Folder Access preventing unauthorized modification of protected directories and blocking unknown processes from writing to sensitive locations. DLP policies detecting sensitive content — classification labels, document fingerprints, or regex patterns matching engineering drawing formats — leaving the organization boundary. Device isolation, either automated through AIR or manual through the Defender portal, cutting the compromised endpoint's network access while preserving forensic telemetry for investigation. None of these were configured at NE. The exfiltration completed over 48 hours without triggering a single alert.

// Detect the CHAIN-ENDPOINT attack pattern — LSASS access via comsvcs.dll
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "rundll32.exe"
| where ProcessCommandLine has "comsvcs" and ProcessCommandLine has "MiniDump"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

If this query returns results in your environment, someone has used comsvcs.dll to dump process memory — which is almost always either a penetration test or an active compromise. The default MDE rules may or may not alert on this depending on your cloud protection level. A custom detection rule using this KQL in Advanced Hunting ensures you catch it regardless of the built-in rule configuration.

The defense-in-depth reality

The CHAIN-ENDPOINT walkthrough illustrates the foundational principle of this course: no single control prevents a complete attack. Each defensive layer interrupts one or two phases of the chain. If that layer is missing or misconfigured, the attack proceeds to the next phase unimpeded.

ASR rules are the most impactful prevention control because they interrupt the earliest phases — initial access, execution, credential access. But ASR rules in audit mode provide zero prevention. They generate log entries that nobody reads while the attack chain completes. Moving ASR rules from audit to block mode is the single highest-leverage configuration change you can make — and it's the change most organizations avoid because they fear breaking legitimate applications. Section 0.8 addresses that fear directly with the evidence-based promotion methodology.

EDR provides the broadest detection coverage across all phases, but only when someone writes the custom detection rules that catch environment-specific patterns. The default MDE alerts cover known commodity malware. The custom detections that catch targeted attacks — the attacker who uses your environment's normal administrative tools in abnormal ways — must be engineered. That engineering work is what differentiates an endpoint security deployment from an endpoint security program.

Different chains, same defensive gaps

The phases remain constant even when the specific techniques change. Understanding this portability is what lets you build controls that survive tooling evolution.

Commodity ransomware (Emotet → Cobalt Strike → Conti pattern). Initial access: phishing email with macro-enabled document. Execution: Word launches PowerShell via macro. Persistence: scheduled task created by PowerShell. Credential access: Mimikatz dumps LSASS. Lateral movement: Cobalt Strike uses PsExec to deploy the ransomware payload to additional endpoints. Objective: the payload encrypts files on all reached systems. Three independent interception opportunities exist: the ASR rule "Block Office from creating child processes" prevents the Word-to-PowerShell chain at Phase 2. If that fails, the ASR rule "Block credential stealing from LSASS" prevents the credential dump that enables lateral movement at Phase 5. If that also fails, Controlled Folder Access prevents the ransomware from encrypting protected directories at Phase 7. But all three controls must be in block mode. In audit mode, the attack chain completes while three ASR audit events are written to logs nobody monitors.

Business email compromise via AiTM. Initial access: AiTM phishing page captures the session token after the user completes legitimate MFA. This phase occurs entirely in the cloud — endpoint controls do not intercept token theft at the authentication layer. The endpoint becomes relevant when the attacker uses the stolen session to access mailbox content from a new device or when they install persistence through inbox rules. Interception points shift to device compliance: Conditional Access policies requiring compliant and managed devices for mailbox access block the attacker's unmanaged device from reaching Exchange Online. If compliance is not enforced, EDR can detect the anomalous logon event from a new device accessing the mailbox — but only if a custom detection rule exists for that pattern. This chain demonstrates that endpoint security cannot be designed in isolation from identity security. The controls in the EI and IAM courses directly complement the endpoint controls in this course.

Supply chain compromise (SolarWinds pattern). Initial access: a trusted vendor software update contains a backdoor. Execution: the backdoor runs as part of the legitimate update process under the vendor's code signing certificate. AV cannot block it — the binary is signed by a trusted vendor and delivered through the legitimate update mechanism. The detection opportunity shifts entirely to EDR behavioral analysis: the updated software making unusual network connections to command-and-control infrastructure, executing unusual child processes, or accessing sensitive directories it has never accessed before. Custom detection rules that baseline normal behavior for critical software and alert on deviations are the only realistic interception point. This is where the engineering effort of creating environment-specific detections provides value that no vendor's built-in rules can replicate — because only you know what "normal" looks like for your specific software inventory.

The question for each control across every chain is not "does it exist?" but three questions: what does it actually block, what breaks when you enable it, and how do you validate it works? These three questions are the framework this course applies to every endpoint security control.