Breaking the Illusion: Bypassing Endpoint Security Controls with Simple Tactics

All right, I'm kind of a pacer a little bit, so hopefully the microphone doesn't go in and out too much, but uh yeah, so I'm Caleb Sergeant um and this is uh Blake. Uh just real quick intro, quick blurb about this, uh this talk. So this isn't about security itself being an illusion. Um because you know, anything can eventually be broken, right? Anything at all. This is more about challenging the status quo that modern endpoint detections um that they're so advanced, right, that the only way they can be defeated is with advanced attacks, right? Um or super complex novel techniques. We just want to show that that is not true and that security can be broken actually with very easy

methods. Um and then so who are we? >> Yeah, I'm Blake Hudson. I am a adversary emulation team lead at PayPal which is just essentially a very very fancy way of saying that I do purple teaming and red team stuff. Uh roughly seven almost 8 years of experience in the industry kind of specializing in cloud security infrastructure testing and uh this is now my fifth talk. I started last year at Bides here and went on kind of like a slew of them last year and back here again. This place is pretty awesome and I just want to say if any of you ever have any information to share get up. I recommend doing this at least once in

your career. It's a pretty interesting experience. >> Yeah, definitely. It's been a great experience for me as well. Uh like I said, I'm Caleb Sergeant. Um Oh, we missed a really good opportunity. You had that shirt on. I could have wore the same shirt. That would have been amazing. >> Um but I'm an adversary emulation uh manager of PayPal. Um basically I do like a lot of bridge building between the red and the blue teams. Um helping them emulate threats so they actually get like a red signal, right? I've been in offensive security for about eight years now. Uh I specialize in endpoint um security controls and emails. I know people are emails. What? Well, actually

that's what those other two talks were about. So I recently did a talk in Troopers Germany about some email stuff. So if you want um shameless plug, go look that up. And black hat, I did a talk with how Wong um he's also my manager in the crowd right there. And we did an email talk last year. So yes, highly recommend it. You'll learn a ton. Um, and you'll meet some pretty cool people. Uh, standard disclaimer, especially since we're here from PayPal. Um, we could say this all we want. Hey, we're saying this from uh, you know, us. We don't represent the company, but they say too bad you represent us anyways. However, there's a disclaimer up here

anyways. Right. With that out of the way, let's quickly talk about agenda. Sweet. It worked this time. Okay. So, uh, we're just going to quickly go over and talk about what endpoint controls are. some typical bypasses that you'll see uh and exactly kind of why we are here and like what type of different approach we're taking. Then we'll talk about bypassing Zcaler, tampering with defender, real attacks that actually work. Um and then we're going to have some more fun with some persistent admin. Um and then once again user stories uh that'll be an interesting topic and we will go from there. So what are endpoint controls? So can anybody name an endpoint control? Just shout one

out. It's not up there. I tried build a magic trick. Uh but yeah, so like so that's really split into two different types, right? So we have like supportive and like direct sort of security controls. You have the things that are actually on the endpoint themselves, right? So like Crowd Strike, you have agents, um you know, defender, uh and then you know there's other ones that are more supportive like Zcaler or you know like J um Intune, right? That's going to be pushing custom scripts, doing something to protect the endpoint that isn't just running code, right? People get super hyperfocused on stopping the shell, stopping running the code. There's so many other controls on that endpoint that you can break. And

what are those typical bypasses, right? So, we're all familiar with living off the land stuff. You know, bringing your own vulnerable driver. I don't know if anybody's familiar with that one. uh building your own custom payloads, doing some um API hooking, evasion, module stomping, DLL hollowing. I could just list all of them, right? These are all, you know, like more complex sort of things that you you do need to know how to code. You do need to, you know, understand something about Windows system internals, etc., right? Um well the key um challenge to this is that we want to just uh evade that traditional you know like signature so of doing these type of techniques right so you

know we want to bypass an for example but we don't want to um uh you know write like a custom script for it and that's that's exactly what makes this talk different right uh this actually started from a comprehensive evaluation of enterprise security controls that we were like we took a holistic approach to where we're not just looking at hey this is defender crowd strike whatever all these different things uh by themselves but like as a complete stack like how do they actually work and what can we do to like break them and then not have like a signal like be able to bypass and not have this um our sock the blue team be

able to detect anything right and most importantly we wanted to like challenge this like status quo type of term that's thrown around right now, tamperproof, right? I don't know how many of you guys have advertised or have been advertised to that, hey, our product is completely tamperproof, right? Well, we saw that we were like, what does that actually mean? And like what are you really claiming with this? So, we wanted to like challenge that uh why we were doing this and um with that, how can we make this uh easier, right? So we'll take a step back uh and then there will be like a little caveat with this right a lot of this stuff does

require administrator access right so it does you know I think it even says right like yeah it fundamentally changes the security balance which is true but you can do a lot of really really terrible things to an endpoint um you know with admin we know that um but also as a low-level user and here are going to be some of the things that a regular user anybody could do right you and uninstall. You can manipulate the file system you there are custom scripts that are running who can access those scripts who can you know modify those who can modify registry etc. So um that is that and we're going to start with Zcaler. Um I guess we're starting at the end of the

alphabet. I don't know. Um we just decided that this is where we were starting. Um so when we started this uh we wanted to like have some sort of like pre kind of like requisite for this right so a good way whenever you're doing research for things um especially like this uh I'm sure people are familiar with the idea of um memory like or not memory comparison um patch comparison right so you go and you look at one patch and then new patch and you're like cool what's the difference right and then you go you know but but that that that's way too complicated for us so we just look at CVEEs right so we

we go look at old CV bees. So did they fix this thing and is there a new way to bypass it? Right? So there are different techniques you can do that besides um you know going and actually doing some patch diffing. Right? So in certain cases here it says zscaler can be disabled by powershell commands. Right? So we took this as the basis. All right. Well they claim to be tamperproof. Let's actually see um what they can do. So with that I've talked about for 8 minutes. So now it's Blake's turn. >> All right. So uninstalling Zcaler. So typically when you have Zcaler running on your system, you're going to go an end user is only really going to go to

say like the settings menu or control panel to try to uninstall it and they'll get message. They'll get a pop-up window like this. You have to put in the password. Well, okay, that's that direction. But they don't anticipate a lot of users just going through programmatic access. Just very simple PowerShell commands. Okay. Hey, use basically PowerShell wmick. get a uh whatever the application is based off of this name zcaler and then append uninstall function. This will wipe out zcaler from this. It doesn't ask you for a password whatsoever and at that point swipe from your system. Here's another route. Uh basically this one's in the cmd terminal but again wmick command finds where it's like zcaler. Go ahead

and uninstall it. [snorts] Here's one that's a little bit different, but you use wmick to get the GID for Zcaler and then you use uh MSI exec to then uninstall it and then just a pure PowerShell get the package name like Zcaler force uninstall. All of these again do not require any sort of password to do this. However, uh by today they are fix or this has been fixed and now there is a separate password you have to set to protect yourself from this way. So a lot of the stuff that we are going to talk about is fixed today. uh it might just be a misconfiguration on your own end if you don't have these things uh readily

available or set. So something that a lot of organizations do as well is they try to enforce you know there might be some sort of security policy enforcing that you have zcaler on your systems. Well usually that's kind of pushed out by something like SECM and this is just kind of like an example. Um, what you can do to try to stop that is just go hunting through your SECM folder and just look for these installation files. Again, SECM is going to be trying to roll this out at whatever predefined uh time period and you can just go in and wipe these out. It's never going to get reinstalled. It seems like SECM tries about once once a

week and then after that it gives up. So, just kind of an interesting little side tidbit with it. Um, oh, back to you. >> Uh, back to me. Oh, yeah. So, so this is super simple, uh, very, you know, poor man's way of uninstalling. Uh, you can do this on Linux and Mac, right? You just rename the thing. Uh, and after you rename the thing, um, you just, uh, reboot and then you can just remove it, right? And the reason you have to reboot it is cuz it does put locks on a lot of these, uh, you know, uh, these files and, you know, we don't want pesky locks. So, we restart the system and

then, you know, hey, we're now zcaler disabled. And then we just, uh, yeah, and then we just get rid of it. And speaking speaking of um we can also abuse built-in scripts. So this is kind of we were talking about with the uh like the intoune and the JF even SECM to an extent, right? So things get pushed out and a script gets ran, right? Um uh and sometimes you can modify and like get all screwy with them. Uh sweet. This video actually looks great on this screen. I wasn't sure I was going to look. So, um, it's a video, but I just want to kind of like walk you through what's going to happen, and then I'll

talk through the rest of everything, right? Okay. So, uh, we're going to uninstall Zscaler, but we're going to not, um, we're not going to like just use like, uh, you know, the method before. We're not just going to rename stuff, right? We're actually going to use the proper executable to uninstall this. Well, uh, if you've looked at some applications, they have like a bunch of like weird scripts sometimes in there and they don't really like you don't really know what they do. And that's what we found here. So we're just looking at our Mac and then we see within the Zscaler directory that we have a whole bunch of scripts, right? Like config any, you know, um, clear

data, etc., right? Well, this clear data one was the one that I thought was really interesting, right? So I was like, what does clear data do? So, you know, I, you know, hackerish all look at it and then I'm like, hey, this is this is deleting a generic password with like com.zcaler everything, right? And I'm like, that sounds really bad. like what happens if an administrator just ran this like out of order and you know you didn't know what happened so or you know so that's exactly what I did um so we take this or we look at the script and then we're going to run this clear data and then that's exactly what it does it

goes through and it deletes uh everything out of the keychain that says com.zcaler Zcaler, right? Well, the way Zscaler works is it actually sets a password locally whenever you want to uninstall it, right? And whenever you run the uninstall script itself, um, it goes and it validates that password. It checks it, right? And but if that password isn't there, anybody guess what happens to that? Yeah, it fails open, right? Cool. Yeah, we love when it fails open. So, that's exactly what happens. Woohoo. Right. So, so we run um the script. The password is no longer there. It compares against nothing and whoa, where's Zcaler go? Yeah, that was my thought, too. It's gone. So, yeah. So,

you just use the regular uninstall um command or executable, but you run a prerequisite script. So, this actually tells you some information about like some other security products, right? They're probably storing a local password. If there's a password to tamperproof it, um it's probably on the system itself somewhere. So if you delete that password and it goes to do something, it's hey, it it just may fail open for you as well. So that's that was a pretty cool trick. Uh no, I I won't bore you guys again. Um all right, more bypassing Zcaler and back to Blake. Yeah. Um and that's kind of like a common theme with a lot of this stuff, too, is the same tactics worked across

multiple different products and even things that we're not talking about here today. the same ideas kind of applied to a lot of different stuff across the board. But uh so bypassing Zcaler. Yeah. So one of the things that we kind of tested and we use this great tool called EDR silencer out there. I wish I knew who actually created that cuz I'd give them a shout out. But essentially it is putting in WFP filters basically kind of like firewall filters. And you point it at the specific binary. So when the processes start up it will just basically block cloud access out to the internet for these specific things. And you can see here in the image the Zcaler

is having a AV error and it can't reach out to the internet. What does it do by default fails open. So you now can access whatever you want out on the internet and then basically remove all of these uh firewall filters and you're right back on basically kind of no one knows that you did anything to circumvent it. Another really really simple one is just keep killing the tunnel. The process I created a really simple bat file. every second is going through task kill just kill that DSA tunnel process over and over and over again it keeps failing fails open you get access to the full internet at that point and again both of these have actually been fixed and they

have process protection on these things now so you can't do these but the same idea is again across the board you could try this with a ton of different security endpoint tools out there uh VPNs uh I'm sure everybody here or at least some people have you can go out to AWS uh stand up an openVPN server very very quickly, you know, just a couple minutes. Install the client locally on your system, force all the traffic through that VPN and you bypass Zcaler completely as well. Get whatever you need, whatever malware from the internet, install it on your system, turn this off, and hey, Zcaler doesn't have any idea what you just did. Oh, this is a fun one. Um, so this is

actually as a low-level user in the registry, there's something called the pack file, and I don't remember what that stands for. >> Proxy proxy thing. Yeah. >> Yeah. That thing. Yeah. [laughter] >> So, this pack file, this is actually the rules essentially what Zscaler is going to be following for like allowing or blocking specific things. Well, a low-level user could go right into the registry and then set this to whatever they would like this to be. So, you could put another local file up there. You could put it on a remote cloud server, something else on your internal network. And basically on Windows, you could tell it allow everything. And this would fully bypass everything for Zcaler

as well. And then point it right back to the original thing and you're you're back in action. No one in you know your sock would even notice. I think it was a little bit different on Mac. >> Yeah, I was about to say Blake one up to me on that when he got it to work on Windows and tried my Dandis. I cannot get it to work on Mac because the way Mac actually handles the entire proxying it it it defaults to Zcaler, not the path file itself. Um, no. Oh, yeah. So, so this is actually kind of like where everything started, right? Uh, this this entire uh, yeah, this everything, right? So, I was

looking at Zcal and I was like, well, how can I like mess with this, right? So, I started looking at a P list file. Um, any Mac gurus out here um, know what? Yeah, there you go. What the P list file is, right? It's basically like a properties list. This says hey this is the application and these are the things when you when it runs um it it needs to like know about these things. First of all, one is an environment variable for this one set as opt and it actually just passed in the the string zcaler, right? So what happens if you just remove zscaler? Uh that's exactly what I did, right? So I just went in and I edited

the pist file. I took the word zscaler out of there because if it doesn't know what this variable is, then it just fails, right? And this goes back to the same thing. It's failing and then it has some sort of error. Zcaler is actually pretty good about giving some sort of error uh within the little gooey. that's kind of like pointing you in the right direction. Uh later on we do have some configuration fixes. So, you know, it's not all doom and gloom. There are ways to fix this to like not make it fail open, but these were configured in a way to like, hey, if you broke this um like it the traffic would just go out

wherever, right? And then you just uh Yep. So, that that was pretty cool. Um once again, just like Blake did, you just take down the tunnel, right? So, any if anybody's done any sort of like Wi-Fi work, that's exactly what you're doing right here. you just take down the tunnel um or the interface uh and then use a packet filter uh just hey anything that comes through this tunnel drop it right and then you actually get like a different error um in here basically kind of the same thing uh another one restarting from the UI right so we give users access to the UI in a lot of things right and a lot of it

is uh you know like locked down but in this case uh you can actually really just spam that button you can just spam it and and for about 10 seconds like Zcaler was none the wiser to whatever you were doing right this also doesn't require admin route um once again this is another configuration that you can change but as you see uh does anybody know what this is that I'm running over here what we downloaded from that that code anybody look at it tell nope that's secrets dump right so yeah we downloaded secrets dump zscaler doesn't care but generally it does uh it does block that it does not like it another way uh by

default we could actually just download and install tour um and all of the tour traffic would go through Zcaler. Like it didn't care. And I was like that's kind of weird, right? Like Zcaler you would think network proxy like block the bad network stuff, right? Well, it didn't well right. Yeah, exactly. Onion never heard of the guy, you know, sort of thing. So yeah, so uh this also doesn't require admin root and of course somebody is going to be some somebody from policy out there is screaming right now you shouldn't allow applications that you don't know what are installed you know etc etc well there's actually another bypass for that that's this top one up here right it says like Safari

light cool we allow or you allow Safari light in your environment and that's what we did well that's not actually Safari light up in the top we just once again told a a P list file um that hey This is actually Safari Light, but that's really tour. So, we just renamed tour to Safari Light and we're like, cool, we're in business again, right? So, don't come at me with your policies, you know? [laughter] Uh, and then and then this is pretty simple too, like if you work with Python or anything in your environment, this is a common thing, right? You know, like if you from the terminal you want to run um you know, something over some sort of

proxy, that's what you do here. And there, yep, there's our secret stump right there. This like once again is no big secret. You can kind of do this anywhere. But this does by default bypass the scaler. Once again, not just be we're not just beating up on them. They just like exemplified a lot of the things that we were coming across and we found ways to bypass that. And then kudos on to them. We'll talk about it a little bit more later, but they did fix a a good amount of these issues. And then all right, we're done with that one. So we also did this to defender. >> Yeah, good stuff here. Um, so bypassing

defender, uh, [gasps] well, obviously with the same thing, EDR silencer, it's kind of built into the tool name, right? Uh, putting in these WFP filters, you can just point it at the Defender Advanced Threat Protection, so the EDR portion of it, and it will block all the cloud access, and you can do this manually as well. This is just an easy convenient tool to do it. Um, but this will basically silence so all of the telemetry doesn't go out to your sock anymore. And the one thing you still have to worry about obviously is the defender AV is still working. So that will still send data out. But at least from the socks perspective, if they're

only paying attention to the uh advanced threat terminal, they're not going to see anything that you're doing at this point. And then very very simple, you can just uh turn off or uh remove all of these filtering blocks. That's a pretty standard one. Uh and then this kind of goes out there. I'm sure a lot of people already know this, but if you give people local admin on their Windows systems, you can just download something like Mimi Cats. Obviously, Defender is going to catch it. It's going to quarantine it and then delete it. Well, maybe a lot of people don't know this. You can just open up Defender's console locally and restore it back to disk and

then there's another pop-up that says, "Do you want to allow it?" Yes, Mimi Cast is white listed on your system now. And you can see you run it perfectly fine. >> [snorts] >> Um, so that's something you know we're we're also sharing a lot of this too so that you can take this back to your own organization. Run these same things. Make sure you have detections because all this stuff no one should be doing in your environment whatsoever. Uh, and after we did a lot of this stuff, we were finding people in our network doing these things. Um, so yes, pay attention to that. [laughter] Um, okay. What about fully disabling EDR? So here is a video. I'll kind of walk

through it real quick. Um, we're just going to show here that the MSSense or the advanced threat protection is running. And then we're just going to go through and show like the permissions on it. You can see that trusted installer is basically the owner. And then we're going to go through and there's a really really critical uh DLL uh msense. DLL. Well, you can tamper with that and then completely wipe out and disable the EDR portion of Microsoft Defender very very easily. And okay, so yep, we're just showing that it's running. We can see that the uh MSDL. Yep. And it is owned by trusted installer. What we're [snorts and clears throat] going to do first here is take ownership

of it. And then we're going to give administrators full access to that specific file. Once we do that, we're just going to go ahead and rename it. You can delete it at this point. You have full ownership of this specific DL. Go ahead, reboot. And what when this comes back online, you'll see MSN keep trying to start up the service, but it fails because it doesn't know where this really important DLL is now. And uh at this point, the EDR will be completely killed. Your sock has no visibility into what your system is doing. They can't quarantine you. They can't isolate your system. They can't jump in and uh take any sort of preventive actions. And you

can see that uh the service has stopped now. And we have a pretty good response from uh Microsoft about that. And then uh so yeah, so we disabled the EDR portion. Uh for those aren't familiar, Defender has like two different well depends on who you ask. Um but it has two main parts, right? It has like an anti virus and it has like the EDR portion, right? The actual like protection piece and it does all the telemetry and everything, right? Well, Blake, he disabled the EDR, right? Um and um I couldn't be one up, so I had to, you know, disable the AV. um itself and I'll go ahead and pause this and I'll kind of talk through it a little

bit first as well. So the I'm running MDAP um health uh on the Mac which basically says hey like what is the status and tell me everything about defender what is going on with the system itself and then as you see it's like hey it's healthy it's true it's running we're going to make it very unhealthy here in a second though so and we're going to do that once again by permissions. So um with defender is what you need is it needs definitions right it needs a library of definitions to be able to say hey this is bad this is bad right sort of thing. So, what we're going to do is we're going to go into

defender and we're going to change the permissions to the entire directory um and make it where nobody could touch it, right? Like not even root, right? So, we're going to give it no permissions. And whenever it does that, we're going to restart the system and whenever the AV goes to check back in um uh to the libraries to see if it can do the thing, it's not going to be able to do the thing. So, anticipate seeing that. All right. Uh back in the beginning, we run this. Uh this is I'm downloading the uh IICAR file. Um I don't know if anybody's familiar what that is, but basically it's a file if you ever want to test AV

like clam or whatever and say, "Hey, is this seeing the bad thing?" Um you can download it and it'll see the bad thing. And as you see, um Defender actually deleted it. It was like, "Yep, that's terrible." We'll actually pause the video right here. Yeah, it's like, "Hey, that's a bad thing. We're going to delete the file." So it says zero files. Um whatever. uh v uh zero files are there because it already deleted it. Then we're going to go through and we're going to um change the um chod to all zeros on that directory. And then uh we'll try to look at it and we look at it and then we see that hey this is

actually now false uh for the MDAP health. We'll go ahead and restart um time travel a little bit and then we are actually just trying to update the AV, right? It's just hey um check the definitions making sure they are all working and once again we'll check mappealth it is very unhealthy now right it's like yeah I'm not working at all and just to demonstrate that it actually works I'll download the iicar file and it's on the system before you saw how it automatically got deleted now it's like one file scanned and it's still there so yeah just with simple um file property manipulation um as far as permissions go, you can entirely disable your EDR,

uh, your EDR and your AV, right? So, I imagine you're like, "Cool. Did you guys tell Microsoft? You're here at Bites talking about it." Well, of course, we told Microsoft about it. So, then you're like, "Well, what did Microsoft say about it? Surely they gave you like a $30,000 bounty or something, right?" They were like, "Hey, you could do a lot more damage with administrator access to to that." I'm like, "Yeah, but what else besides disable your AV and EDR? What is more important than that? I I don't know. But um but yeah, so they closed out both of our tickets saying, "Hey, that you you could do more damage with that." So >> very expensive products that you can

just disable that easily. And it's kind of like >> Yeah. >> All right. And uh into safe mode. >> Oh yeah. Um before we get to that, but it's kind of looped in with this. So we did test another EDR product that we got our hands on uh to do some additional stuff and we found out even with that one uh it you can basically do the exact same thing. A lot of file manipulation uh to just take ownership deny access to everything uh throughout Windows so that none of the specific services could be even executed or run. Uh what you could also do though is if you are local admin on your systems you can get the Bit

Locker recovery key. Nope, I'm skipping forward. Okay. >> Really? Okay. The >> uh you don't need to be local admin to get the Bit Locker recovery key from PowerShell. That's true. >> Okay. I think I only tried it as admin. >> Yeah. >> Um Okay. Interesting. So, yeah, you don't even need to be admin for that. Well, uh obviously once you get into safe mode then as a regular user, you can then just start uninstalling a lot of the really really important stuff like the kernel drivers, taking ownership of those and then deleting all of that stuff. Uh, and that's kind of the point of safe mode. My understanding is that it's to boot Windows into a mode

where almost all third party applications aren't really running. So you can debug and troubleshoot things. Uh, so Bit Locker. Yeah. Uh, here it is. Uh, this real simple command, you can get the Bit Locker recovery key, which as people have stated, you can do this as a low-level user, so even worse uh, than what we anticipated. Um, once you have that, obviously you can go in and start disabling a bunch of stuff. Um, obviously in here too in our experience, uh, you can create new users. You can download things. Well, you can't download things, but if you already have like mimmeats on the system, uh, you're going to be able to run all of these

things and then once you get it back onto your corporate network, it didn't seem like all of these logs then just got dumped and a whole bunch of alerts were generated. uh you were able to do all this stuff kind of blind, get back on the network and no one no one would be any of the wiser that you did these things, creating new local admins, you know, running mimic cats, things like that. Uh crash plan, anybody here familiar with that service? Yeah. So, pretty popular in the backup kind of like uh in the backup space to help with, you know, obviously with ransomware. They don't make any claims that they have tamper protection by any means, but just to

show, you know, this is another really important one for ransomware. You can just very quickly and very easily run the exact same things to uninstall this specific service as well. Now, that's not that big of a deal. It still has tons and tons of backups, right? Well, uh, >> no. >> Okay. Uh, that doesn't really matter. If you go through the actual console that's on your system, you can navigate around and it will bring you to this admin page for your systems. All of the systems that Crash Plan has for you. And very simply, you can just click on the system you want and then set to deactivate. All everything is wiped. Every single backup

that that they had on your system for the past 90 days is gone now. Free to do ransomware unless there's other protections, but for the most part, that's kind of like the big uh glaring hole there. other controls. >> Yeah. So, there are other controls on your system, right? Um besides, uh just, you know, the edr, all this fun stuff. So, uh simple ones are just like gatekeeper, right? If anybody's not familiar what gatekeeper is, that's essentially mark of the web on Mac, right? Uh up here in the top right, you'll see that, hey, I'm downloading something just from a local server. It but since it's coming from a a browser, it puts the mark of the web on it,

right? when you go to like execute that thing, in this case it's like an app inside of like a DMG file, right? Nothing malicious. Um, and it says, "No, I'm not going to let you run that because you download it from the web." And I'm like, "Well, I'm the administrator, so I'm just going to turn this off." So people in your organization, if they have local admin access, they can just disable Mark of the Web. And if they're doing that, then bad things could happen cuz then it actually asks you, it's like, "Hey, you sure you want to open this?" It actually gives you the option. Um, and yeah, we've actually run successful campaigns with this. So you hit open and then

it'll just pretty easily uh uh run the code over there. Uh we talked about pseudo and you know run um or uh run as administrator access uh quite a bit. So there's a way you know you can detect right if somebody is running pseudo that shouldn't they're going to get you know reported to the administrator right. Well, we know a way if you just run it through the OSA script and just say, "Hey, with administrator privileges, it doesn't actually if you're looking for pseudo in your command line, any sort of telemetry, it's not going to show that. It'll show this and then you get to like type in your password and everything." So, this is a pretty neat little trick

to like bypass um any anybody trying or you know trying to bypass any sort of detection around uh around that. Uh once again, yeah, you can erase a lot of things, right? Hey, if you're um you know inside your CIS log, if you are looking at everything for uh or if that's where like all your limits are going, you could just delete it, right? Uh and then this is also another thing that we kind of touched on, right? Uh you can change um well, does anybody know what immutable is? Somebody shout it out. What's immutable? Somebody say it. >> Cover something up. There's always a record of what happened in the past. >> That's right. There's always a record

and then you can't change it, right? Like so if you set something to immutable, it means they can't be changed anymore, right? So like even if you're the root user, you have to unset a um an immutable flag on something to be able to touch it again, right? So as a bad guy, if you want to go in and then like back door or mess with any of these different um you know sensitive files um right here, you change it and you set the immutable flag on it. Even if there's something that's supposed to come up and clean afterwards, it won't actually work because you set the immutable flag on it. So that's another neat trick. And what would a talk be

without AI? >> Oh yeah. Uh everything has to have AI, right? Um including this talk. So AI gets looped into everything these days, right? And uh one of the things that we have seen out in the industry is that they're starting to hook AI for like RO permissions or granting roles into something like teams. And maybe you guys have an internal, you know, AI bot that handles a lot of that kind of stuff. Well, very simply, you might be able to just ask it to give you local admin permissions on your system. And this might bypass all of the, you know, there might be a um an approval process for you to normally get that. This might

just give it to you and it might get just give it to you at the longest length of time that you're approved for uh a specific admin. Um going into some persistent local admin stuff. This is probably going to be stuff you guys all know, but um say you are you're granted you know you have that that real brief window of local admin. Well, how do you get that to be a little bit more persistent tampering continuing to tamper with the system? Well, there is always that built-in local administrator account. Just go ahead and change the password for that specifically. And um obviously this might be controlled by something like laps or local administrator policy

password solution. Yeah, password solution. And by default, this actually sets that password for that user for 30 days. So you could set this for yourself and you might be able to have uh you know a a semi-persistent local admin for 30 days. And these are things that you need to be aware of in your environment because there might be people doing this to try to circumvent some of these uh approval processes. Now what you can do to make it permanent is just go ahead and uninstall LAPs, but you have to do this after you've set the password. Otherwise, you no one's going to be able to get into it whatsoever. uh unless they have a much much higher

permissions. So uh yeah, once you did this, now you control this account. Any sort of like help desk or desktop support that tries to get into your system to do something administratively, they're not going to be able to use that account whatsoever and they'll be locked out. Uh yeah, obviously you can create your own local admin as well. But uh in our experience uh just throughout all of the years, it seems like there's always some sort of script that will take strip that away at some point. [sighs] Yeah, exactly. And the reason we're talking about this because um you know we do need to allow people to do some sort of administrative actions like on

their their systems, right? And there's a lot of like just in time access that you do give users temporarily. Well, this is more of like, hey, if you give them temporary access so help desk doesn't need to help them install Adobe um then they could do it themselves um kind of thing, right? Well, what can they do to like bypass that, right? and then actually like maintain that access even if you put a banner up there says thou shalt not you know circumvent security controls um you know they don't really have to listen uh so you can enable the root account right um that's a pretty easy one neat trick I don't know if anybody knows about it um but

the root account on Mac isn't enabled by default but if your root or if you have pseudo access you can just enable the root account and then use that and if you don't have anything checking to make sure the root account isn't enabled it could persist. And here's a list of uh different things that you could do, right? To create like a stealth admin on a system. This is a script that I ran. Um uh and the neat parts about this are I guess like on the third fourth line where it says unique ID 509 primary group of 80 etc. Right? You see that like it's not like actually setting anything to the administrators group

itself. Um so you know in Linux Mac world you can like assign um different ids like to the or the group ids directly to the user itself without putting it in those groups. So, if you're doing something like, hey, check for all admins in the group, you're not checking for everybody in group 80 or group 10, the wheel group, right, that do have admin access. Um, you're just checking for um, you know, add admins, right? So, now this goes through, creates a shell, you know, does eventually like add it. Uh, and then this this script right here is just exemplifying exactly what I was talking about, right? So, not the cleanest looking script, but at the top you'll

say, "Hey, this is going through and um you know doing a loop and it's looking through all of the users. Um and then it's getting the primary group ID, right? Well, we see that, hey, our stealth admin user is assigned to group 80. But next, if we look at all of the administrators in there, we'll see that our administrator is not in there, right? So, just be careful what you're checking. you need to actually be checking the group ID membership itself not just like relying on hey who's in the domain admin group sort of thing right um another thing uh so hey users they could just add themselves right if they have admin access who what's

stopping them from you know four or five different ways especially you know with AI assistants out there to tell them how to like bypass um the security controls right how can they just add themselves um they could just add themselves um to these and then yeah just set set the immutable flags. So that brings me kind of like to our users, right? I want to quickly like talk about user stories, you know, like don't have like any like Jira flashbacks or anything. Not those type of user stories. I'm talking about the user stories that like you hear from the trenches, right? So as like security professionals, um we look at a lot of this stuff, right? And if I asked you, I

was like, "Hey, you know, like go to the MITER framework and show me what you're talking about, right?" Most of you would probably come up here. impair defenses. That's like what a lot almost everything that we're doing, right? If you go to like TT or you know, MITER, this is what most of you would come up with like from a technical point of view, right? Well, what what do the users actually like see or like what do they hear, right? Um they hear no, right? Like that's what they hear from you. They hear no, you can't do this. No, you can't do this. This isn't like a preachy thing about like hey allow users to do whatever because

obviously we don't want to allow the users to do whatever but um we need to like give them a reason why you can't do that thing or at least prevent them from being able to do it in general right and I'll just quickly run through some stories here this is I don't know if any whippers snappers this is stack overflow like we used to use this before AI assistance you know uh and this is actually what would you know give us like all the code for us to copy right This is what started a lot of this like basically contract worker went in there was like hey how can I disable zscaler it's just out there for everyone to see

right um so yeah so you can just disable it um what about like talking to the users themselves right well you know I we we've had this instance of people saying hey I'm not I'm not in the pseudo file anymore even though I put myself there wait a minute why did you put yourself in there right so users will do crazy and weird things right like hey Um, uh, you know, hey, I wanted to I forgot what this one is for, but yeah, like, oh, this is the email saying, hey, why did you do this, right? Hey, I'm just vibing, you know, and then I just want to disable some UAC because, hey, that's security control. Uh, I don't

really care for that. It makes my job hard. So, let's disable UAC, right? Actual things that have happened. We've seen these things. Um, but yeah, so enough about user stories. Uh, more about, uh, like the disclosure. Um, so, so we we did actually report all of this to Zcaler. Uh, but it took a little bit of relationship management to actually be able to like get some of this stuff to go through because last November is whenever we reported some of this stuff and it was kind of like crickets, but you know, relationship management, we actually got some stuff moving. Um, and they uh they released uh patches or have fixes for 14 of the 17 issues. So I

guess if you want to go like hunt see which three still work uh have at it. Um so uh these are the configurations what if you ask them um and say hey uh I'm having this issue these are the things they were going to tell you to do. So okay I made it easy for you if you want to take a picture and uh run with that. Oh no I'm sorry. No pictures what she said. Yeah what she said. Uh mental picture right. Uh and Microsoft. Yeah. Hey we we reported it. No impact. um there. And then with that, Blake, you want to do the recap? >> Not prepared for that. >> Um let's see. Recap. Probably not cuz I

haven't read it. >> Oh, okay. Um it says, "Can you uninstall the thing?" Yes. Uh so uh yeah, this is just another sheet or another slide that uh if anybody uh basically this explains all of kind of the ideas, a lot uh of a lot of the bypasses and how to um you know take advantage of them. And yeah, that's pretty much it. It's usually a picture slide, but go pictures. Um and with that, any questions? Yeah. Oh, thank you. Yeah, >> for the week example when you running your test >> what was it? >> Uh if we had tamper >> Yeah. supposedly we had everything set to like the maximum protections according to all of their standards but

yeah. >> Yeah. >> Yeah. So can you talk a little bit more about like what kind of promise then also like with admin rights stuff like this is always going to be possible >> um yes to an extent right so like yeah the illusion part like I I spoke about in the beginning it's that hey we wanted to like challenge like the uh the tamperproof right a lot we have like tamperproof enabled on all of this stuff right but even with admin or low-level user access there is still some way um to like get around it, right? So really wanting to like challenge that since that's kind of like a buzzwordy um thing right now. And then yeah, we had tamper,

you know, proof um you know, everything installed.

Any other questions? >> Uh any bounty money? Uh no, we're actually trying to get like CVE for some of the stuff as well. um um since there is a precedent for them actually issuing but they haven't so we're here talking about it. >> Yeah. >> Okay. Oh yes. >> Do you have any plans to maybe do what Microsoft suggested you know privileges to do worse on that? >> Good questions. >> Yeah. >> Uh yeah at some point I would say yeah we need to dig into that a little bit more. Let's see what they think is actually as is bad. [laughter] >> Yeah. >> Slides. Um, yeah. I mean, I guess we can put them up, right?

>> Yeah. >> Yeah, we should be able to. Yeah. >> For me, >> yeah. >> Okay. Well, awesome. Thank you very much. >> If if you look at my my GitHub, I'll post them up there. Caleb Sergeant get up and I'll put it up there, too. >> Thank you very much. >> All right. Thank you, everyone.