Listen to this Post

Introduction:
Modern Extended Detection and Response (XDR) platforms are designed to give defenders visibility, but a new wave of tooling is flipping the script for penetration testers and red teamers. By leveraging contributions from security researchers like Alex Kefallonitis, tools such as XDRInternals are now capable of transforming a simple live response session into a fully interactive shell, all while bypassing traditional Multi-Factor Authentication (MFA) hurdles like push notifications and OTP codes without ever opening a browser.
Learning Objectives:
- Understand how to elevate a standard XDR agent session to a full interactive command-line shell.
- Learn the mechanics of bypassing MFA (Push/OTP) for authentication flows using API-level interactions.
- Identify the security implications of native API calls versus browser-based authentication in enterprise environments.
You Should Know:
1. Installing and Configuring XDRInternals for Authentication Bypass
The recent update to XDRInternals, driven by a pull request from Alex Kefallonitis, introduces a method to handle user/pass authentication combined with MFA without relying on a headless browser. This is significant because traditional automation often breaks when facing MFA prompts. The tool now interacts directly with the underlying authentication APIs.
To replicate this setup, you must first clone the repository and install the dependencies. The tool primarily targets Python 3.9+ environments.
Linux/macOS Installation:
git clone https://github.com/Undercode/XDRInternals.git cd XDRInternals python3 -m venv venv source venv/bin/activate pip install -r requirements.txt
Windows Installation (PowerShell):
git clone https://github.com/Undercode/XDRInternals.git cd XDRInternals python -m venv venv .\venv\Scripts\Activate pip install -r requirements.txt
Once installed, the core configuration involves setting up your tenant details. The tool now utilizes a specific endpoint to submit credentials and then captures the MFA claim via an API call, eliminating the need to simulate a browser DOM environment.
- Establishing the Live Response to Interactive Shell Transition
The core functionality highlighted by Nathan McNulty and Alex Kefallonitis is the transition from a “live response” (typically a limited set of pre-defined commands) to a “full interactive shell.” This is achieved by leveraging the underlying agent communication channels that XDR platforms use.
In many XDR solutions, the agent communicates via a websocket or a persistent HTTPS connection. XDRInternals identifies the session token and reuses it to spawn a new process with redirected input/output streams.
Step-by-step guide:
- Authenticate: Run the tool with your tenant credentials. The tool will handle the MFA flow automatically.
python xdrinternals.py --tenant your-tenant --user [email protected] --password 'YourPass' --mfa
- List Agents: Once authenticated, list available endpoints to get the Agent ID.
list-agents
- Initiate Live Response: Start a live response session on the target agent.
start-live-response --agent-id 12345
- Elevate to Interactive Shell: Use the specific `–interactive` flag or the new `spawn-shell` command. This command injects a shell runner (cmd.exe for Windows, /bin/bash for Linux) into the agent’s process tree.
spawn-shell --agent-id 12345
3. The MFA Bypass Mechanism: API vs. Browser
The previous version of XDRInternals relied on Selenium or Playwright to automate a browser to handle MFA (Push or OTP). This was resource-intensive and prone to failure if the browser window was detected. The new PR merges a method that extracts the authentication endpoints directly.
Instead of loading a browser, the tool now performs a `POST` request to the `/auth/verify` endpoint. If MFA is required, the server responds with a `mfa_required` status and a transaction ID. The tool then sends the OTP (if available) or polls the `mfa/status` endpoint for a push approval. Once approved, it captures the `refresh_token` and access_token.
Code Snippet of the Logic (Python):
def authenticate_mfa(session, url, user, passwd):
payload = {"username": user, "password": passwd}
resp = session.post(f"{url}/auth/login", json=payload)
if resp.json().get("mfa_required"):
txn_id = resp.json()["transaction_id"]
Simulate push approval check
mfa_resp = session.post(f"{url}/auth/mfa/approve", json={"transaction_id": txn_id})
if mfa_resp.status_code == 200:
return session.cookies.get("access_token")
return None
4. Working with XDR Telemetry for Post-Exploitation
Once the interactive shell is established, the true power of XDRInternals becomes apparent. You are no longer limited to the “live response” commands (like registry queries or file listings). You have full system access. However, to remain undetected, leveraging the XDR’s own telemetry against itself is key.
Using the authenticated session, you can query the XDR’s backend to see if any alerts are being generated by your own activity. This allows for real-time detection testing.
Command to Query Alerts:
python xdrinternals.py --session-token $TOKEN --get-alerts --severity high
If you see your process (e.g., spawn-shell) generating a high-severity alert, you can immediately adjust your evasion techniques (e.g., process injection, parent PID spoofing) to see if the XDR logic updates based on your changes.
5. Windows-Specific Payload Execution via API
To make the interactive shell functional on a Windows target, the tool typically utilizes the Windows API via `ctypes` or PowerShell remoting. The “interactive shell” feature often injects a hidden instance of `conhost.exe` or `powershell.exe` that is not visible to the logged-in user but is fully interactive for the operator.
Manual Verification on Windows Target (via Live Response):
If you are testing the integrity of the shell, you can run the following command to check for hidden processes:
Get-Process -Name conhost, powershell | Select-Object ProcessName, SessionId, StartTime
If a `conhost` process appears with a different start time than the user’s logon session, it likely indicates the injected interactive shell is running.
6. Linux Privilege Escalation Integration
For Linux agents, the tool leverages the same API to bypass MFA but uses `pty` (pseudo-terminal) allocation to provide a fully interactive TTY. Without this, commands like `sudo` or `su` would fail due to the lack of a terminal.
Linux Command to Spawn Fully Interactive TTY:
If you have a non-interactive shell, you can manually upgrade it using Python:
python3 -c 'import pty; pty.spawn("/bin/bash")'
XDRInternals automates this by passing the `-t` flag during shell creation, ensuring that the `SHELL` environment variable is set correctly, and that the terminal size is echoed back to the operator.
7. Security Implications and Mitigation Strategies
For defenders, the ability to bypass MFA via API calls (rather than browser automation) represents a significant shift in threat actor capabilities. This highlights a critical gap: API security is often weaker than browser security.
To mitigate this:
- Conditional Access Policies: Enforce “Compliant Device” or “Hybrid Joined” requirements. API-based bypasses often fail if the token request does not originate from a managed device.
- FIDO2 Keys: Hardware security keys (like Yubikeys) are resistant to this type of API manipulation because the authentication requires a physical challenge-response that cannot be simulated via a simple POST request.
- Monitoring Entra ID Sign-in Logs: Look for logins with “Client App” listed as “Other Clients” or “Unknown” where MFA is satisfied but the device info is missing or shows a non-corporate OS.
What Undercode Say:
- Token Capture is the New Perimeter: The update to XDRInternals proves that attackers are moving away from phishing for passwords to stealing tokens directly from API responses. If you can capture the token post-MFA, the browser becomes irrelevant.
- XDR as a Double-Edged Sword: The very agents deployed to protect endpoints now serve as the entry point for full system compromise. Once an operator uses the XDR’s own API to deploy a shell, the agent essentially becomes a Remote Access Trojan (RAT) blessed by the security stack itself.
- Shift Left in Testing: Red teams must now test API authentication flows with the same rigor as they test web applications. The assumption that MFA stops automated logins is no longer valid when the attacker directly integrates with the authentication API.
Prediction:
The evolution of XDRInternals signals a broader trend where security tooling APIs become the primary attack vector for lateral movement and persistence. In the next 12 months, we will likely see a surge in “Living off the Land” (LotL) attacks that utilize native XDR agent commands for data exfiltration, rendering traditional EDR visibility blind to malicious intent, as the actions appear to originate from the security console itself. Organizations will be forced to implement “break-glass” authentication workflows and API-specific threat detection to distinguish between legitimate admin activity and adversary-in-the-middle (AitM) operations conducted through tools like XDRInternals.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Alex Kefallonitis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


