Prologue
As we set forth on the next leg of our journey, the Cyber Red Team returns with the third installment of our ongoing exploration into the dynamic landscape of cybersecurity. Fueled by our relentless curiosity and a steady commitment to reveal the concealed, we proudly present the next chapter of our saga. With our magnifying glass firmly fixed on the beating heart of cyber defense, we plunge even deeper, push the boundaries further, and challenge the ever-fluid line between threat and protection. Join us once more as we peel back layers of insight, confront new and formidable challenges, and expertly navigate the intricate tapestry of Endpoint Security's (EPP and EDR) effectiveness. Welcome to the third chapter of our mission.
Target Endpoint Security
1: Check Point Endpoint Security
2: Sophos Home Premium
Testing methodology
TL;DR
First, assume that we have access to a machine with EPP installed with or without system-level integrity. However, if we have higher privileges on the system, it doesn’t mean we can run any malware on the system as we wish, as the EPP is present on the system, and we can’t simply pause or turn off the modern EPPs even with an account with system-level integrity.
We are NOT going to discuss how the modern EPPs and EDRs work, but how they respond against some evasion techniques used by modern malware.
In the previous two posts, we have started with simple shellcode injection. Then if it gets detected, we continue to integrate new capabilities into our dropper. Here we will be using a Meterpreter reverse connecting shellcode as a payload to achieve a reverse shell. We will be playing with the more aggressive EPPs this time which already have detected the following techniques:
- Payload encryption
- Function call obfuscation
- DLL injection, etc.
So, in this part, we are going to deploy more advanced techniques to bypass the Security solutions as they are detecting all of our previous basic evasion techniques. We will start with API Unhooking method followed by direct and indirect syscalls and BYVD depending on the situation.
If we run the dropper and the shellcode executes successfully, we will stop testing on that EPP, mark it compromised, and move on to the next EPP.
Before going any further, first, let us talk a bit about Userland hooks. Many EPP/EDR solutions use API hooking to monitor the real-time process, or any suspicious WinAPI calls that it might consider as harmful. In order to intercept the function calls and code flow redirection, they inject their own library into all newly created processes. Then they hook WinAPI functions that are commonly used by malware, most commonly, functions that have to do with the process, thread creation, manipulation, memory mapping, etc., for example, NtOpenProcess (OpenProcess), NtAllocateVirtualMemory (VirtualAllocEx), NtWriteVirtualMemory (WriteProcessMemory), NtCreateThreadEx (CreateRemoteThread), etc. The most common library that is hooked is ntdll.dll as it is the last remaining gateway between user mode and kernel mode, and usually, it is hooked in memory rather than on disk. This is achieved by replacing the first instruction of the un-exported function in the system DLL with a jmp instruction that jumps to a routine in the EPP/EDR’s loaded library.
We can easily identify these hooks by attaching a running process into a debugger and, as an example, from ntdll.dll by filtering out NtAdjustPrivilegesToken, and we will see an immediate jmp to somewhere in the memory, which should be the library of the installed EPP/EDR.
We will try to bypass the detection mechanism of our targeted EPPs by implementing an unhooking mechanism by mapping a fresh copy of ntdll.dll. Instead of mapping the ntdll.dll from the disk, we will map from a suspended process because, in a suspended state, only ntdll.dll is initially mapped. As the process is in a suspended state, the LdrpInitializeProcess won’t be called as the queued APC’s will only run once the process is resumed, as a result, other modules, including EDR’s module won’t be loaded, thus giving us an unhooked fresh copy of ntdll.dll.
To achieve this, we have created a process in a suspended state and then find the base address of the ntdll.dll of our current process, which will be the same base address for the suspended process we have just created. Then we parsed the Export Directory of both the suspended process’s fresh ntdll.dll and our current process’s ntdll.dll to find the NT APIs and extract the syscall stubs from fresh ntdll.dll and copy them to the ntdll.dll of our current process. This will restore our current process’s ntdll.dll into its initial state, thus unhooking the EDRs from our current process’s ntdll.dll and allowing us to execute our malicious payload evading many EPP/EDRs.
Check Point Endpoint Security
Version: E87.31
Update status: Fully Updated
Dropper characteristics: Remote Process injection, Meterpreter Reverse Connect shellcode, dll Unhooking.
Observation:
Check Point EPS fails to detect and stop the shellcode execution, and we were able to get a reverse shell to our remote machine.
Sophos Home Premium
Version: 4.3.1.2
Update status: Fully Updated
Dropper characteristics: Remote Process injection, Meterpreter Reverse Connect shellcode, dll Unhooking.
Observation:
Sophos Home Premium fails to detect and stop the shellcode execution and we were able to get a reverse shell to our remote machine.
Closure
As we conclude this chapter, we stand not at the end but at a juncture of exploration and evolution. Our deep dive into the sphere of Endpoint Security solutions has revealed the resilience of modern cybersecurity and the ever-evolving nature of digital threats. This is not a conclusion but rather a waypoint on our ongoing quest to bolster our defenses. Hand in hand, we embrace the future with the understanding that cybersecurity is not a destination but an everlasting journey. Our upcoming installments will continue to shed light on the path toward a more secure digital future. Rest assured, we will be back.