How Microsoft Defender ATP detects polarbear exploits - Part 1

We will start with polarbearLPE - an exploit that gives an unprivileged user admin privileges on Windows machines. Windows 10 is impacted too. (polar)bearLPE is an elevation of privilege vulnerability exposed on May 21st and requires attacker to havre code execution. From there the privileges can be elevated. A very good description of the vulnerability can be found here:

Antivirus should be able to stop this attack (in fact Windows Defender AV with updates 1.293.2240.0 will detect it as Behavior:Win32/Belonar.B). But let’s see how Microsoft Defender ATP will be able to detect, investigate and remediate this attack on its own. To make things more difficult:

let’s use Windows 10 1803 with no updates installed;

and turn Windows Defender AV real-time protection off

After running the exploit, we get local admin rights. Let’s see Microsoft Defender ATP detection:


So even though the AV was disabled, MD ATP was able to see the process is sketchy and submit an alert. Let’s have a look what we can do about it:


We’ve got an option to remediate by removing the file or moving it to the quarantine.


After this action the file will be moved to the quarantine.

However, at this moment there is no full remediation or patch for affected systems.