Embarking on the next leg of our journey, the Cyber Red Team returns with the second installment of our exploration into the ever-shifting terrain of cybersecurity. Armed with curiosity and an insatiable drive to illuminate the shadows, we unveil the continuation of our saga. With our magnifying glass on the pulse of cyber defense, we delve deeper, venture further, and challenge the boundaries of security in a world where the line between threat and protection remains fluid. Join us once again as we unravel layers of insights, confront fresh challenges, and navigate the intricate tapestry of Endpoint Security's (EPP and EDR) efficacy. Welcome to the second chapter of our mission.
Target Endpoint Security
1: Malwarebytes Premium
2: ESET Endpoint Security
First, we have to assume that we have access to a machine with EPP installed with system level integrity. Though we have higher privilege on the system, that doesn’t mean we can run any malwares on the system as we wish, as the EPP is present on the system and we can’t simply pause or turn off the modern EPPs, even with an account with system level integrity.
We are NOT going to discuss how modern EPPs and EDRs works, but how they respond against some evasion technics used by modern malwares.
In the previous post, we started with simple shellcode injection. Then, if it got detected, we continued to integrate new capabilities into our dropper. In our case, the shellcode is a Mimikatz shellcode. In this part, we are playing with the EPPs that detected the basic shellcode injection from the previous blog and required extra modification on the dropper to evade detection. The more complex modification needed in the dropper side for any EPP will place it higher in the tier list. So, these are the EPPs which are in the higher tier list than the previous EPPs tested in our previous blog.
We will start with modifying our dropper and changing the entropy by injecting random bytes, add metadata from other valid PEs, and using a modified version of Mimikatz shellcode placed in the resource section. Then, if required, the following technics will be introduced in the dropper one by one depending on the situation:
- Function call obfuscation
- Dll injection (Classic)
- Dll injection (Reflective)
- Userland API Unhooking
- Direct Syscall
- Indirect Syscall
If we run the dropper and the shellcode executes successfully, we will stop testing on that EPP, mark it compromised and move onto the next EPP.
Update status: Fully Updated
Dropper characteristics: Self-Injector, Shellcode in resource section, changed entropy, added Metadata.
Observation: Malwarebytes fails to detect and stop the shellcode execution after changing the Entropy of the dropper. In case of official Mimikatz executable and the dropper used in previous testing, was detected and deleted from the disk.
ESET Endpoint Security
Update status: Fully Updated
Dropper characteristics: Self-Injector, Shellcode in resource section, Modified Mimikatz shellcode.
ESET fails to detect and stop the shellcode execution when we use a modified version of Mimikatz shellcode.
However, when we used the shellcode built from the official Mimikatz binary, changing entropy or adding legit metadata wasn’t that helpful and got detected as soon as the binary touched the disk. And in the case of the official Mimikatz executable, it also detects and deletes the executable.
As we draw the curtains on this chapter, we find ourselves not at an end, but at a crossroads of exploration and evolution. Our expedition into the collection of Endpoint Security solutions has illuminated both the resilience of modern cybersecurity and the ever-evolving nature of digital threats.
This is not a verdict, but rather a checkpoint on an ongoing journey to fortify our defenses. Together, we rise to meet the future with the knowledge that cybersecurity is not a destination but a perpetual voyage.
Our forthcoming installments will continue to illuminate the path to a safer digital future. Stay with us.