Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

ES0.2 Modern Attack Chains on Endpoints

· Module 0 · Free
Operational Objective
Endpoint security is not a single control — it is a series of controls that each interrupt a specific phase of the attack chain. To engineer effective endpoint defenses, you need to understand how modern attacks flow through the endpoint: initial access (the phishing click, the exploit, the drive-by download), execution (the payload runs), persistence (the attacker survives a reboot), privilege escalation (the attacker gains admin rights), defense evasion (the attacker hides from your security controls), credential access (the attacker steals passwords and tokens), lateral movement (the attacker spreads to other systems), and finally their objective (exfiltration, encryption, destruction). Each phase interacts with a specific layer of the endpoint security stack. Each layer has specific controls that interrupt that phase. When you understand the chain, you understand why each control exists and what happens when a control is missing or misconfigured.
Deliverable: A phase-by-phase mapping of modern endpoint attack chains to the defensive controls that interrupt each phase, with specific MITRE ATT&CK technique examples and the corresponding Defender for Endpoint capability at each interception point.
Estimated completion: 35 minutes
ATTACK CHAIN → ENDPOINT DEFENSE INTERCEPTION POINTSINITIAL ACCESSPhishing clickExploit kitUSB deliveryDrive-by downloadASR + Network ProtEXECUTIONPowerShellLOLBinsMacro executionDLL side-loadingASR + AMSI + AVPERSISTENCEScheduled tasksRegistry run keysWMI subscriptionsServicesASR + EDR + SysmonPRIV ESCToken manipulationUAC bypassExploit vulnDLL hijackExploit Guard + EDRDEF EVASIONAMSI bypassETW patchingProcess injectionTimestompingTamper Prot + EDRCRED ACCESSLSASS dumpingKerberoastingSAM extractionToken theftASR + Cred GuardLATERAL MOVEPsExec/WMIRDPSMBWinRMEDR + Network ProtOBJECTIVEExfiltrationEncryptionDestructionBECCFA + IsolationDEFENSE LAYERS MAPPED TO ATTACK PHASESASR Rules: Block initial access + execution + persistence + credential access techniques at the prevention layerAV + AMSI: Block known malware + fileless script content at the execution layerEDR + Custom Detections: Detect post-exploitation behavior across ALL phases at the detection layerIsolation + Containment: Interrupt lateral movement + objective completion at the response layer

Figure ES0.2 — Each attack phase maps to specific defensive controls. A gap at any phase allows the attacker to progress to the next. The endpoint security stack is only as strong as its weakest configured layer.

How a modern attack chain flows through the endpoint

Understanding endpoint security controls requires understanding what they defend against. A modern targeted attack against an M365 E5 environment with default endpoint security settings follows a predictable chain, and each phase exploits a specific gap in the unconfigured stack.

Phase 1: Initial Access. The attack starts with a phishing email containing either a malicious attachment (macro-enabled document, HTML smuggling payload, ISO/IMG container with embedded LNK) or a link to an adversary-controlled credential harvesting page. At NE, CHAIN-HARVEST used an AiTM phishing page. CHAIN-ENDPOINT used an HTML smuggling payload that delivered an ISO file. The endpoint security controls that interrupt initial access include: ASR rules (blocking Office applications from creating child processes, blocking JavaScript/VBScript from launching downloaded content), network protection (blocking connections to known malicious domains), and SmartScreen (blocking downloads from untrusted sources). At NE, none of these were in block mode. The phishing payload executed without prevention-layer interference.

Phase 2: Execution. The payload runs on the endpoint. For CHAIN-ENDPOINT, the user mounted the ISO file (bypassing Mark of the Web, since files inside ISO containers do not inherit the Zone.Identifier ADS), double-clicked the LNK file inside, which launched mshta.exe to execute an HTA payload, which in turn launched PowerShell with an encoded command that downloaded and executed the Cobalt Strike stager in memory. Four LOLBins in sequence (explorer → mshta → PowerShell → rundll32), zero standalone executables on disk. The controls that interrupt execution include: ASR rules (blocking Win32 API calls from Office macros, blocking execution of potentially obfuscated scripts), AMSI (scanning script content before execution), AV cloud protection (cloud-side analysis of the PowerShell behavior), and WDAC (blocking unsigned or untrusted executables). At NE, AMSI was enabled (default) and caught the simplest obfuscation — but the stager used a reflection-based AMSI bypass that patched amsi.dll in memory before loading the actual payload.

Expand for Deeper Context

Phase 3: Persistence. After execution, the attacker must survive a reboot. The Cobalt Strike operator created a scheduled task (schtasks.exe /create) that runs on user logon, executing a PowerShell command that re-downloads and re-injects the beacon. A second persistence mechanism used a registry run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) pointing to a PowerShell encoded command. Both techniques use legitimate Windows mechanisms. The controls that interrupt persistence include: ASR rules (blocking persistence through WMI event subscriptions, blocking process creations from PSExec and WMI commands), EDR detection (alerting on scheduled task creation from unusual parent processes, registry run key modifications), and Sysmon (logging Event ID 12/13 for registry modifications, Event ID 1 for process creation with full command line). At NE, none of the ASR rules that protect against persistence were in block mode, Sysmon was not deployed, and no custom detection rules existed for scheduled task creation anomalies.

Phase 4: Privilege Escalation. The Cobalt Strike operator needed local admin rights to dump credentials from LSASS. The operator exploited PrintNightmare (CVE-2021-34527) on an unpatched print spooler service to escalate from user context to SYSTEM. The controls that interrupt privilege escalation include: exploit protection (ASLR, DEP, CFG enforced per-application), vulnerability management (identifying and patching the print spooler vulnerability), and EDR detection (alerting on exploitation patterns). At NE, exploit protection was at Windows defaults (not hardened per-application), and the vulnerability had been identified in Defender Vulnerability Management recommendations for 4 months but not remediated.

Phase 5: Credential Access. With SYSTEM privileges, the operator dumped LSASS process memory using comsvcs.dll MiniDump (rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [LSASS PID] C:\temp\dump.bin full). This extracted NTLM hashes and Kerberos tickets for all currently authenticated users, including domain admin accounts. The controls that interrupt credential access include: ASR rule “Block credential stealing from the Windows local security authority subsystem” (which blocks non-Microsoft processes from opening LSASS), Credential Guard (which isolates LSASS secrets in a virtualization-based security container), and RunAsPPL (which protects the LSASS process as Protected Process Light). At NE, the LSASS ASR rule was in audit mode (not block), Credential Guard was not enabled, and RunAsPPL was not configured.

Phase 6: Lateral Movement. With domain admin credentials, the operator used WMI to remotely execute commands on the file server (SRV-NGE-FS01) and two additional endpoints. The controls that interrupt lateral movement include: EDR detection (alerting on WMI remote process creation, PsExec service installation, unusual Type 3 logon events), network-level detection (alerting on SMB traffic between workstations, which should not occur in normal operations), and ASR rule “Block process creations originating from PSExec and WMI commands.” At NE, the WMI ASR rule was not configured, and no custom detection rule existed for workstation-to-workstation WMI execution.

The defense-in-depth reality

The attack chain illustrates a principle that is foundational to this course: no single control prevents a complete attack. Each defensive layer interrupts one or two phases of the chain. If that layer is missing or misconfigured, the attack proceeds to the next phase. The endpoint security architecture must provide coverage across all phases — and the coverage must be validated, not assumed.

ASR rules are the most impactful prevention control because they interrupt the earliest phases (initial access, execution, credential access). But ASR rules that sit in audit mode provide zero prevention — they generate log entries that nobody reads while the attack chain completes. EDR provides the broadest detection coverage across all phases, but only if someone writes the custom detection rules that catch the specific patterns. Default MDE alerts cover known commodity malware patterns. The custom detections that catch targeted attacks using organisation-specific patterns must be engineered.

The engineering question for each control is not “does this control exist?” but three questions: what does it actually block (not what the documentation claims), what breaks when you enable it (the blast radius), and how do you validate it is working (the test)? These three questions are the framework this course applies to every endpoint security control across all 16 modules.

Decision Point

You have time to configure one endpoint security control this week. Your options: (A) Enable the ASR rule that blocks credential stealing from LSASS in block mode. (B) Write a custom detection rule for scheduled task creation from unusual parent processes. (C) Deploy Sysmon with the SwiftOnSecurity baseline. The correct answer depends on your current threat landscape and what is already configured. If you have no ASR rules in block mode, option A provides the highest immediate impact — it prevents one of the most common post-exploitation techniques. If LSASS protection already exists (via Credential Guard or ASR), option B addresses a persistence technique that is harder to prevent. Option C provides long-term telemetry value but zero immediate prevention or detection. The deployment sequence matters — this course teaches you how to determine which control to deploy next based on your specific gap analysis.

Real-world attack chain examples mapped to endpoint controls

Commodity ransomware (Emotet → Cobalt Strike → Conti). Initial access: phishing email with macro-enabled document. Execution: Word launches PowerShell via macro. Persistence: scheduled task created by PowerShell. Lateral movement: Cobalt Strike uses PsExec to deploy Conti to additional endpoints. Objective: Conti encrypts files on all reached systems. Interception points: ASR “Block Office from creating child processes” prevents the Word→PowerShell chain. If that fails, ASR “Block credential stealing from LSASS” prevents the credential dump that enables lateral movement. If that fails, Controlled Folder Access prevents the ransomware from encrypting protected directories. Three independent interception opportunities — but only if all three controls are in block mode.

Business email compromise via AiTM. Initial access: AiTM phishing page captures session token. This phase occurs entirely in the cloud — endpoint controls do not intercept token theft at the authentication layer. The endpoint becomes relevant when the attacker uses the stolen session to access mailbox content from a new device. Interception points: device compliance policies requiring compliant devices for mailbox access (the attacker’s device is not enrolled in Intune, so conditional access blocks mailbox access from non-compliant devices). If compliance is not enforced, EDR detects the anomalous logon event from a new device accessing the mailbox.

Supply chain compromise (SolarWinds-style). Initial access: trusted vendor software update contains backdoor. Execution: the backdoor executes as part of the legitimate update process. The AV cannot block it — the binary is signed by the vendor and delivered through the legitimate update mechanism. Interception points: EDR behavioral analysis detects the updated software making unusual network connections or executing unusual child processes. Custom detection rules that baseline normal behavior for the software and alert on deviations. This is where EDR and custom detections provide value that AV never can — the detection is behavioral, not signature-based.

Try it: map your environment's attack surface to the chain

For your environment, answer these questions for each attack phase:

  1. Initial access: What is your most likely initial access vector? (Phishing, exploit, USB, web?) What prevention controls are in place? Are they in block mode or audit mode?
  2. Execution: If the initial access vector delivers a payload, what execution paths are available? Can Office launch child processes? Can PowerShell execute encoded commands? Are LOLBins unrestricted?
  3. Credential access: Is the LSASS ASR rule in block mode? Is Credential Guard enabled? Is RunAsPPL configured?
  4. Lateral movement: Can workstations communicate with each other via SMB? Can WMI be executed remotely from workstations? Do custom detection rules exist for lateral movement patterns?

For each answer of “no prevention control” or “audit mode only,” you have identified a gap in your endpoint security chain. Document these gaps — they form the basis of your deployment roadmap from Module ES0.9.

Compliance Myth: "We have defense-in-depth because we run AV, a firewall, and email filtering"

The myth: Multiple security products equal defense-in-depth. If one fails, the others catch it.

The reality: Defense-in-depth requires controls at different layers that address different phases of the attack chain. AV, a firewall, and email filtering all primarily address initial access and execution — the first two phases. None of them address persistence, privilege escalation, credential access, lateral movement, or the attacker’s objective. True defense-in-depth on the endpoint requires: prevention (ASR, WDAC, exploit protection), detection (EDR, custom rules, hunting), response (isolation, containment, investigation), and forensic readiness (audit policies, Sysmon, logging). Three products that all address the same two attack phases do not provide depth — they provide redundancy at the perimeter and nothing behind it.

Troubleshooting

“Our attack chain looks different — we’re not targeted by Cobalt Strike operators.” The specific tools change. The phases do not. Whether the attacker uses Cobalt Strike, Sliver, Brute Ratel, or a custom implant, they still need to execute code, establish persistence, escalate privileges, access credentials, and move laterally. The endpoint security controls that interrupt each phase work regardless of the attacker’s tooling. This course teaches you to defend against the chain, not specific tools.

“We can’t map our environment to ATT&CK — it’s too complex.” You do not need to map every technique. Start with the 10 techniques that appear most frequently in the incidents your industry experiences. MITRE publishes ATT&CK Navigator layers from vendors like CrowdStrike and Mandiant that show the most commonly observed techniques per year. Map those 10 techniques to your current endpoint security controls. The gaps are your engineering priorities. Module ES8 covers this mapping in depth.

“Our red team bypassed all of our endpoint security controls — should we replace MDE?” Red teams bypass controls because the controls are unconfigured, not because the product is inadequate. A red team that bypasses ASR rules in audit mode has proven that audit mode does not prevent attacks — which you already knew. The question is: which ASR rules can move to block mode after audit data analysis? A red team that bypasses EDR has proven that your custom detection rules have gaps — which is valuable feedback for the detection engineering cycle in Module ES8. The red team finding is not “replace the product” — it is “configure the product.”

Operational Artifact — Attack Chain to Defense Control Mapping

For each attack phase, identify the primary and secondary endpoint security control:

Initial Access: Primary: ASR rules (Office child process blocking, script execution blocking). Secondary: Network protection + SmartScreen. Execution: Primary: AMSI + AV cloud protection (High+ level). Secondary: WDAC (for high-value assets). Persistence: Primary: EDR custom detections (scheduled task, registry, WMI subscription creation). Secondary: ASR WMI persistence rule. Privilege Escalation: Primary: Exploit protection (per-application). Secondary: Vulnerability management (patch the exploitable services). Credential Access: Primary: ASR LSASS protection rule (block mode). Secondary: Credential Guard + RunAsPPL. Lateral Movement: Primary: EDR custom detections (PsExec, WMI remote, RDP from workstations). Secondary: Network segmentation. Objective (Ransomware): Primary: Controlled Folder Access. Secondary: Device isolation (manual or automated).

Use this mapping as the starting point for your gap analysis in ES0.9. Each “Primary” control that is not in block/enforced mode is a gap.

An attacker compromises an endpoint via phishing and uses rundll32.exe to load a malicious DLL that dumps LSASS credentials via comsvcs.dll MiniDump. Three ASR rules could have interrupted this chain at different points. Which rule provides the earliest interception — preventing the attack chain from progressing past the execution phase?
"Block credential stealing from the Windows local security authority subsystem" — this rule blocks LSASS access, which occurs at the credential access phase (Phase 5), not the execution phase. It is critical but not the earliest interception point.
"Block Office applications from creating executable content" or "Block JavaScript/VBScript from launching downloaded executable content" — these rules intercept at the initial access/execution boundary (Phase 1-2), preventing the phishing payload from executing in the first place. If the payload cannot execute, the entire chain — including the LSASS dump — never occurs. Earliest interception is always preferred because it eliminates all subsequent phases.
"Block process creations originating from PSExec and WMI commands" — this rule blocks lateral movement (Phase 6). By this point, the attacker has already executed, persisted, escalated, and stolen credentials. It limits the blast radius but does not prevent the initial compromise.
"Block persistence through WMI event subscription" — this rule blocks persistence (Phase 3). It prevents the attacker from surviving a reboot but does not prevent the initial execution or the credential dump that occurs before persistence is established.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →