Decoding Cyber Defense: Navigating the Endpoint Security Landscape - Part One

Introduction

Stepping into the shadows of the digital frontier, armed with innovation and curiosity, our Cyber Red Team embarked on a mission that transcended mere tests and assessments. We delved deep into the labyrinth of Endpoint Security (EPP and EDR) solutions, unveiling their strengths and limitations. In a world where data breaches are a constant threat, and cyber adversaries grow ever more sophisticated, we wielded our expertise as a beacon of light, illuminating the hidden vulnerabilities that lie beneath the surface. Join us as we unveil the results of our relentless research, exposing the strengths and vulnerabilities of multiple endpoint security solutions. This is not just a journey into the realm of cyber defense; it's a mission to safeguard the digital future in a world where threats never rest.

Dive Introduction

Modern Endpoint Security has been here for quite a long time to protect digital assets from ever-evolving malware. These EPPs and EDRs are in a cat-and-mouse game with malware with their various evasion technics. It is like a sword vs a shield. Since EDRs are more expensive, some small and medium organizations are simply depending on EPPs to protect their digital assets. EPPs are the first line of defense. As the market is packed with lots of different EPP/EDR products, every vendor tries to convince their client by advertising their capabilities. But actions speak louder than words. So, we have decided to get our hands dirty and play with some End Point Protection systems that are popular in the Bangladeshi Market.

Target Endpoint Security

1: Trellix Endpoint Security

2: Trendmicro Antivirus Plus

3: Kaspersky Endpoint Security

Testing methodology

First, assume that we have access to a machine with EPP installed with system-level integrity. Though we have higher privileges on the system doesn’t mean we can run any malware on the system as we wish, as the EPP is present on the system, and we can’t simply pause or turn off the modern EPPs even with an account with system-level integrity.

We are NOT going to discuss how the modern EPPs and EDRs work, but how they respond against some evasion technics used by modern malware.

We will start with a simple shellcode injection. Then if it gets detected, we will continue to integrate new capabilities into our dropper. In our case, the shellcode will be a Mimikatz shellcode.

As said, we will start with simple self-shellcode injection where the function calls are not obfuscated, just XOR encrypted shellcode placed into the data section, then the following technics will be introduced in the dropper if required one by one depending on the situation:

  1. Function call obfuscation
  2. Payload in resource section
  3. Dll injection (Classic)
  4. Dll injection (Reflective)
  5. Unhooking
  6. Direct Syscall
  7. Indirect Syscall

Additionally, if needed, we will add some manifests and signatures to make the reference dropper look legit and also try changing the entropy of the reference dropper. Also, as opposed to the typical dropper, which allocates memory with PAGE_EXECUTE_READWRITE" permission, our reference dropper will allocate memory with PAGE_READWRITE permission initially, then after copying the shellcode to the allocated buffer, we will then change the buffer region protection with executable permission using PAGE_EXECUTE_READ. This will make the execution less suspicious.

If we run the dropper and the shellcode runs successfully, we will stop testing on that EPP, mark it compromised, and move on to the next EPP.

Trellix Endpoint security

Version: 10.7.0.5828

Update status: Fully Updated

Dropper characteristics: Self-Injector, XOR encrypted shellcode, Shellcode in .data, Default entropy.

Observation:

Trellix fails to detect and stop the shellcode execution. In the case of the official Mimikatz executable, it detects and deletes the executable.

Figure: Reference dropper successfully executed Mimikatz - Trellix Endpoint Security

TrendMicro Antivirus Plus

Version: 17.7_22Q3

Update status: Fully Updated

Dropper characteristics: Self-Injector, XOR encrypted shellcode, Shellcode in .data, Default entropy.

Observation:

TrendMicro fails to detect and stop the shellcode execution. However, in the case of the official Mimikatz executable, it detects and deletes the executable.

Figure: Reference dropper successfully executed Mimikatz - TrendMicro Antivirus Plus

Kaspersky Endpoint Security

Version: 12.2.0.462

Update status: Fully Updated

Dropper characteristics: Self-Injector, XOR encrypted shellcode, Shellcode in .data, Default entropy.

Observation:

Kaspersky fails to detect and stop the shellcode execution. However, it reconfigures the lsass process as a protected process, so additional work is needed to dump lsass. Our testing covers only the shellcode execution part, which ran successfully. And in the case of the official Mimikatz executable, it also detects and deletes the executable.

Figure: Reference dropper successfully executed Mimikatz - Kaspersky Endpoint Security

Closure

In this inaugural chapter of our multi-part series, we embarked on a captivating exploration into the world of Endpoint Security solutions. As we conclude this chapter of our research journey, we find ourselves not at any verdict but rather at a crossroads of possibilities. Join us in this dynamic journey as we set the stage for a series of revelations that will redefine how we perceive cybersecurity. From demystifying advanced threat detection to unraveling the art of proactive defense, our forthcoming installments will continue to illuminate the path to a safer digital future.