{"id":26830,"date":"2019-10-10T16:42:29","date_gmt":"2019-10-10T20:42:29","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=26830"},"modified":"2019-10-10T16:42:29","modified_gmt":"2019-10-10T20:42:29","slug":"how-my-application-ran-away-and-called-home-from-redmond","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/10\/10\/how-my-application-ran-away-and-called-home-from-redmond\/","title":{"rendered":"How My Application Ran Away and Called Home From Redmond"},"content":{"rendered":"<p><a href=\"https:\/\/medium.com\/sensorfu\/how-my-application-ran-away-and-called-home-from-redmond-de7af081100d\">Mikko Kentt&auml;l&auml;<\/a> (via <a href=\"https:\/\/twitter.com\/tapbot_paul\/status\/1181639923922866177\">Paul Haddad<\/a>):<\/p>\n<blockquote cite=\"https:\/\/medium.com\/sensorfu\/how-my-application-ran-away-and-called-home-from-redmond-de7af081100d\"><p>We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully.<\/p>\n<p>[&#8230;]<\/p>\n<p>After that I realized Beacon&rsquo;s Home received the packet from an unknown IP address. At this point I was confused and freaking out &mdash; why someone else is running the same unique binary which was recently built just for me? Are my systems hacked?<\/p>\n<p>[&#8230;]<\/p>\n<p>I managed to narrow it down to Microsoft Defender and the &ldquo;Automatic sample submission&rdquo; feature. [&#8230;] Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Mikko Kentt&auml;l&auml; (via Paul Haddad): We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully. [&#8230;] After that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-10-10T20:42:36Z","apple_news_api_id":"d6bbbfac-956a-4441-b755-0cc508fc5932","apple_news_api_modified_at":"2019-10-10T20:42:37Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/A1ru_rJVqREG3VQzFCPxZMg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[504,37,355,219,1030],"class_list":["post-26830","post","type-post","status-publish","format-standard","hentry","category-technology","tag-malware","tag-microsoft","tag-privacy","tag-windows","tag-windows-10"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=26830"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26830\/revisions"}],"predecessor-version":[{"id":26831,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/26830\/revisions\/26831"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=26830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=26830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=26830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}