You Sh[e|a]ll Not Pass! Gentle Introduction To EDR Bypasses - Riccardo Ancarani & Devid Lana

so I guess first of all thanks for attending this talk today we're going to talk about a really gentle introduction on uh EDR bypasses hopefully we're going to benefit those who never done this but also hopefully a few tricks for those who have done it and and doing Red Team engagement so first of all uh some brief introduction my name is Ricardo I work as a principal security consultant at with secure U so what I'm doing is like regulated red teams parle team and and and stuff like that and also with us we also have David thank you thank you guys for being here I'm David I work as a senior offensive security consultant mostly I

do offensive Security operation right team activities parle teaming and adversary simulation all right guys uh maybe this is not something that you're you know particularly new uh but like yeah all the marketing stuff related to the EDR word in general is you know with being too polite is is full of crap not going to lie um you know all the evaluation everyone says oh I have 100% coverage uh even though all the breaches still happen like pretty pretty much regularly so hopefully throughout the rest of presentation we're going to give you like some advices and you will be able to navigate that word of uh of marketing a bit better and being able to determine

you know that these guys are just lying to us cuz 100% doesn't mean anything uh so first of all for those who are new to this just giving a really brief uh hopefully it's going to be a brief introduction to what edrs are I mean like I'm not going to spend time talking about like the the acronym whatever but the main purpose of this system is to collect teley from endpoints right what does that tmy do some part on the on the endpoint some part on the cloud that will get aggregated and that will generate alerts for analysts to tra usually those systems provide some some some ways to respond to attacks so you know things like isolating host killing

processes and and and stuff like that now the biggest problem what we see when people are describing EDR bypasses in general like blog post courses and things like that is that most of the people think that the reality is what's on the left like an isolated Black Box on its own well the reality of big Enterprises network is is much more complex so the Ed just one piece of the big puzzle so you'll see that you have you know firewall IDs and stuff like that everything working together uh in people processes and Technologies and ultimately you have a human triaging these uh these alert that all these systems will will eventually do so why am I mentioning this now uh is because

despite this presentation is going to focus only on the EDR aspect right it doesn't necessarily mean that's the only thing that's going to uh you know come into play when D with r team operation so what we see on courses and like blog post research and stuff like that is oh you bypass the EDR then then you're good and not really um because there's a lot of other things that can go wrong so what it means is that yeah okay you bypass the are fine a lot of other things can go wrong this is also to say that um considering that we have a human analyst that at the end of the day is going to

triage most of those alerts right and they're the one I have to determine oh yeah this is a false positive or not and I have to escalate it to like layer to whatever your sock structure by might be it means that even if you do manage to sorry if you do trigger some detection on DDR it might not be the end of the word like I have seen like countless cases where we did trigger alerts and in some cases very specific alerts like Cobalt strike alerts being closed as FS positive just because the analyst the layer one analyst just had no idea how to has that just couldn't be bothered I something like that uh but that's the

that's the reality right so for the rest of presentation we're going to use um elastic defend and not because I have anything against it specifically but they're really good at the fact that they're publishing all the detection rules so hopefully we're going to use some of them as a some sort of you know uh training ground to get an understanding on how the detection was built initially maybe we can find some flows and things like that also it is like you have a 14 days trial product so I highly encourage to to download that and and and give it go so a few metrics that we're going to use for for this presentation these are going to be

useful to understand what is a bass what's an evasion and and and stuff like that so obviously really simple Telemetry is being able to collect specific events right like do you see like notepad DXE being run on an emplo or or stuff like that detection as said earlier is the aggreg of T sources different T sources sometimes just to capture malicious behavior like user John do run has whatever on on their end point prevention again I don't I don't need to explain prevention is just stopping the attack from happening a specific action in particular but the interesting point is the investigation right investigation is when an analyst actually takes in charge of an alerts let's say and they

start doing some some triaging and stuff like that why is this important because a detection on its own is it's not useful just a message just a ticket on on whatever platform it might be an email or something doesn't mean that someone will actively do anything with that and the reason is that you know these platforms they tend to generate like thousands of of detections uh and so it's not reasonable for you know a human analyst to analyze every single detection that comes from from these platforms right so you know usually they have some sort of Thresh let's say if you have a a critical alert or if you have X number of medium or high alerts

on a specific host then you know a tiet might get open and analyst will look into that um it doesn't mean that you know alerts will just stay unre hour it's just that you know they have a pipeline of things to work on when I'm talking about sock analyst and so they can of just um analyze everything as it comes in they they they need some sort of way to navigate that mess of uh detections so bear that in mind uh and so let's let's get to the core of this like what's the what's an EDR evasion like what am I talking about right uh and so like it is a bit confusing and a

lot of people in the industry are not too certain about what this actually means right and so like there was a Twitter poll as well that was done a while ago trying to you know go what the audience was was thinking and you know you see the the answer like most of them alerts not generated but even the rest it means that there is a forbit of confusion now for the rest of presentation what is our definition of EDR byass is no automatic alerts will get generated so we're not going to talk about response necessarily uh we don't care U about that now just mean that you know if no alerts are generated we're fine what I mean by fine is not

necessarily that we're going to win on our red team operation that's not true um simply by the fact that you know even if you don't generate any alerts on on a specific EDR that you're working against it doesn't mean that you know maybe a threat Hunter will just check your activity at a later Point things like that the thing is if you do not generate alerts at least in our opinion your chances of not getting detected throughout the rest of the operation uh will be much higher so no alerts think it doesn't mean that if you don't generate alerts you're going to you know necessarily succeed in your operation it doesn't mean that if you do generate

alerts you're going to get eradicated pretty immediately and another point is um what we mostly see when people discussing bypasses is they just care about shell loading like if you know if you have worked with you know Frameworks like meit Cobalt blah blah blah you know that people like they do like to think that EDR is just loading the Shell Code you see that you know you you maybe get a beacon or something oh I by us Crow strike and you don't do anything else and that that's just not reality right you you you need to think that red team operations they have you know you have to take certain step to reach your goals

and not everything is on the initial access side you need to move L you need to extract credentials so all the things that we're going to talk about you need to be mindful of them throughout the rest of your presentation if you just get a vehicon running on an point I mean good for you uh but yeah there is definitely more to that so when it comes to the different types of evasion and and bypasses we like to use the framework that was created originally by Spectros right now this is not the complete framework that they they had more bypasses to be honest but like they were not fully applicable to our cases and maybe some of them would never use

them so it it wasn't really worth talking about them well we hope to do is to uh bring some like gaps from the very theoretical concepts of these Frameworks and show some practical examples as well so we're going to start with the first one which is the perceptive bypass simply put uh it's just the sensor inability to collect certain type of event right the idea is that if you cannot collect specific Telemetry how can you detect that uh let's see so let's have this like hypothetical scenario right we've compromised the box and we want to establish persistence it of course we want to maximize our chances of not getting detected right because that's just obvious so our hypothesis is if we

find a specific action to establish persistence that the is just not able to log that you know might increase our chances of not getting detected so to do that we're going to Pivot to the EDR Telemetry project which essentially just a collection of all the major EDR providers with all the different type of tet they collect so um again it's on gab you can just access it and and we know in in this case we're dealing with elastic so it's pretty easy to see you know what kind of things elastic doesn't collect uh by default right um and one thing that that I forgot to mention before uh is that you know of course elastic they they do publish the rules

so we have an advantage in this case right but the thing is that all the concepts and everything that we're going to explain they will be applicable to situations where you don't have access to the rules that the blackbox product whatever is is using so in this specific case we see that the local account creation doesn't get logged natively by elastic so you see that there is a a log icon I I don't I don't know if you can see that what that means is that it can be collected but it needs to be enabled by the uh the native Windows Event clock so it's not an outof the Box configuration that is present on the on

the agent so okay good like we have a we can use that as a some sort of persistence very common like all the ransom reactor they they love creating love accounts and stuff like that so we just hop on our testing box and with anything to be honest like we we're going to use like comic red team for this uh we're going to execute a very simple test case to create a Lo account so executing that and validate our hypothesis of whether that they Trigger detections or not so we execute the thing and we do actually get deted so why why why is that like are you lying to us not really not really um so as I

said like the advantage the big advantage of elastic is that we can inspect the rule that triggered and look at the specific definition of the rule so you see that uh you know it it did trigger on the execution of the you know classic netc binary with the SL ad I know if you're doing like red team professionally is like come on what are you talking about man I know right but this is just an example to Showcase a specific concept so it's a very easy detections to to to implement but like yeah okay you said that there is no Telemetry for that why then this gets alerted upon so to better analyze that we're

going to be to another uh framework I know that a lot of people need a lot of external Frameworks to uh study uh but this time this is the capability obstruction and hopefully we'll going to use that to better navigate what we're doing as I remember adding a local account as our pers our chosen persistence mechanism so what is capability subtraction it is essentially a framework that allows you to decompose a specific capability again in this case adding local accounts on different layers of of complexity until you reach you know the what's the base case for the event to happen see in the image there is the curb roasting action and you see that you have different tools at

the top but then as you go lower to the capability obstruction framework you see what is the base condition for curb roasting to happen which in that case is a network request for curb roast and stuff so what we're going to do now is translate that to our specific case and try to see if we can rebuild the capability abstraction Matrix for our own specific case so I mean guys I'm not a reverse engineer I don't know how to do that I don't even like that to be honest but it is pretty simple to go from the initial implementation of you know what Atomic red team was using so using net.exe to understand what kind of API it was

using to to do that and just continue deep deeper until we believe we reach the base condition for a user to be added to a system so again like you can use strings you can use whatever but essentially what you're going to find is that the net.exe is using just net user R right so a first step of evasion could be okay can we go a step lower so instead of just using Netto DXE directly we used the the windows API it's possible but you know Windows API can get hooked and things like that and we don't necessarily want to deal with hooks and and all those kind of things now so um we can we can try and go a

step lower so what I like to do in those cases is to Pivot using the reactos which some sort of I believe right Windows uh open source implementation or something like that I I have no idea to be honest I just use it for like finding Windows API U but the thing is if you if you can look at the net user ad implementation and see you know what's the underlying API that that is used and if you do that what you're going to find is that eventually those apis are going to use the uh Ms some a the the uh Security account manager remote protocol right so it's RPC protocol that you can use documentation from Microsoft is a

bit confusing is it's an understatement it's like 200 pages of of PDF but you know if you spend I don't know five 10 minutes on it you'll see that eventually you you you can find what's the exact API function that gets called by RPC right so again you see that it's it's it's not too complex from net toxc Windows API RPC Co so the idea is that you know the um elastic detection engineer implemented the detection at a really high level of the capability obstruction framework and it's not a mistake right it's just you know it's a really simple detection that can catch a lot of you malicious activity it's also you know always a trade between FS

positive or not but you know from us like the attacker perspective if we do manage to go lower uh then hopefully we going to increase our chances of success specifically what we're doing now is to use I really like I I don't even like maybe I wasn't even bored when RPC client was coded initially but you can use that those kind of utilities because just the first thing that come to to my mind uh just to create a local user on a machine um just using the RPC protocol and you know there's no surprise if you do that you know there no no detection from from elastic simply because it doesn't get logged so how can

you build detection on something that that doesn't get logged I don't know if you know let's speak later um but yeah again it doesn't necessarily mean that all all the hope is lost right of course you can enable you know the whatever Advanced aiting is on Windows to get events whenever you create new account and that will get logged by elastic but that's not you know an outof the Box configuration you need to enable those logs uh manually um and from an attacker perspective you can check if a system has these logs enabled so you know okay they log user account creation and and things like that but if they don't and you know that the product is for example

elastic whatever other you can you know be almost confident that those specific actions will will not trigger uh uh detection if these are the only product in in use so what is this for saying again like initially we started from like Atomic red team with the micro ID if you're doing an assessment and you're relying on these micro IDs to to get coverage uh you're going to have a a bad time because uh these are not really uh too useful on on the specific cases the procedural differences from one attack to the other even if they have the same attack IDE is is like immense um and also it means that all these products in

general they're not super bu that's right they they have flows you need to configure them properly um and also like another thing that I wanted to mention I've mentioned on like on on the specific endpoint but think of different OS versions or like different you know version of the same operating system I know that a lot of process injection detection nowadays are based on the threat intelligence CW providers right which is really robust and really awesome but if you land on a Windows 7 box or if you do find a Windows 7 box on the network and you jump there that ew provider is just not existent because you know it's not supported so in general finding places where um

Telemetry is not available on like Linux system Solaris those kind of stuff is where a lot of attackers are moving to nowadays so yeah it's a definitely an interesting one to think about now The Logical bypasses again this is a bit tricky right this is finding flows within the implementation logic of a specific detection Rule and this is complex right because maybe in some cases you don't have access to the actual rule that um that people wrote Because it's just you know kind of a blackbox product in the case of elastic again is a bit simpler but the fact that we're using elastic gives us Insight on what might other detection engineer might think that uh a good detection is

right so this case we're going to talk about creation of scheduled task by low reputation processes again uh you see there that the rule is it it is quite simple if you used to read uh whatever elastic writes uh but you know there is a process creation event from an unsign process and then you see that there is the on on in bold you see that there's a file creation on the Windows C Windows task the classic directory associated with shedule task right so what can we what can we say about this well we can say that the detection engine in during the rule creation process they identified a base condition right and the base condition in that case was if a

shedule task gets created then the following file creation event will also be present so file created on the system 32 task director that's an assumption right it doesn't necessarily mean that it's true in fact what we found on on our research is that you can create schedule task simply by modifying the registry right you don't need to create files or or go bya the classic Windows apis you can just add some registry keys and you can create schedule tasks so you see that there was a flow in in that logic because they identified the base condition but that base condition was not true or at least it doesn't cover all the different cases that you might

you might face and again this is like it it wasn't it wasn't easy because this requires a level of understanding of Windows in ter J reversing experimenting and and things like that this was actually done um after a specific malware family um they they were hiding scheduled task using some like registry keys like changing the security Des scripture of the scheduled task and it wasn't appearing anymore uh on the GUI so we took that a bit further and we managed to create schedule task without generating Windows Event log and without going um by the classic windows apis so again as I said it is definitely a bit more complex um but you can find those

you know those different attacks and like you know what what kind of uh base condition people might see as you know Window Service creation maybe some register keys can can be used maybe some other keys can be used to achieve the same I don't know I've done mine on task give me a break um but yeah it's definitely an interesting one and next one I'm going to hand it to David for the other types of bypasses thank you Ricardo so configuration bypass these guys is just a quick slide for us it's basically because as an attacker you don't have like capabilities or visibilities around the configuration that is done on the back end most of the time the solution

has a management tenant that is in the cloud and only the client and the security Engineers or security op Center has access to basically might be that the sensor is not configured to actually capture determinates event in this case or on some Legacy systems we don't have some capabilities so we can't collect data but also depends and it's like let's say we are a security engineer we are installing the solution we are configuring in the tenant the switches and we might miss something okay or let's say we have a specific critical system and we try to actually enable features but there's a feature that would slow the system down so basically uh we're going to disable it but an

attacker might use it at his own Advantage also edrs you know are not p and play they require uh amount of configuration and timing so they are prone to Mistakes by the engineers in this case there is an interesting project here which is time exception which shows basically that you can write a specific file on the folder you want to and you monitor the timing of the file right okay so if some file takes more time than the other probably is going to be scanned by the scanner if the other one is faster maybe you are in a wh listed folder okay so probably on your post exploitation phase you can just drop your file on disk even like if

you desire to drop a file on dis spell stay in file less but in this case might be interesting and also to consider classification bypasses in this case is basically the inability of a product to determine if an event is malicious or not what does that mean let's say we are logging some specific data traffic and we have too much data in this case so it's not reliable to buy a to to to create a detection upon it so we we cannot alone using that specific event determine that something is malicious we might work around on ioc's but in this case it's harder okay and often it is is implemented as a filter for filter for

like false positive rates in this case but we have an example here with an elastic rule which is the unusual Windows native process performing Lup activity here we have the rule basically what the rule does is checks the execution the start of a process that belongs to system 32 or CIS 64 in this case checks a whd listed set of processes that are not taken under scrutiny and also checks if the activity that is being performed uh loads a specific system directory Services DL so a module a module that allows an attacker to actually interact with the environment like for caring like an example that we will see later or El the queries in general so for for trigger this specific

rule um it's fairly easy what we did was we use Li as a C2 framework what we can use whatever framework we like like to C2 framework we will execute the built-in rubius um caros capabilities okay caros in capabilities and this is actually enough to like cause some bells to ring okay if we check uh what happens behind the scenes basically we execute rubius in this case and it will spawn a new process which is in this case is notepad. EXC which is in the dni list so we are going actually to make something triggered also because we are loading inside the process the D that we said before this techniques is for and run

and we get detected a quick win to defend from this would be just remaining in the context of our current process okay like executing a beon object file or remaining inside the process going a thread and doing our stuff almost zero effort but we have a problem here the problem is that imagine you just had your uh access succeeding on a machine and we have this process that has been seen for the first time and it is both calling home your team server so doing HTTP and HTTP requests and also executing some El up queries or post exploitation abilities that works around L up in this case it's not a best idea let's say we can we can do better so the

question is are we really blending in here is an example that we Ricardo take under consideration basically we took uh a couple of big corporates and we started quing it using Sentinel in this case for specific processes looking for processes that does el up queries okay the idea behind this is injecting into the process or using this process that already does el up queries or let's say ELD up traffic and blend in with it okay in this case we chose MMC MMC was also on the wh listed binaries in the previous rule but again choosing a process that uh normally executed up queries allows us as we said before to uh bypass this specific rule

obviously one thing here is we're using for and run it's a tradecraft that was really effective like some years ago right now is easier to catch this technique but this is just an example we want to give you an idea of what happens and when you blend in even if there are other rules that detects execute assembly we can still proceeds and not trigger the rule so ideally if we do this specific like we follow the specific framework the specific methodology we can actually uh discard one by one the rules and bypass them hopefully so again even if there are no alerts elastic generates some Telemetry okay so if you are a detection engineer you can run and try to at least make

make a rule or work around it okay another example might be let's say let's have a context for this for this case we want to do some pki reconnaissance so actually let's say we compromised a Target and we want to see if we can have a quick win with like adcs you know all the templates all the vulnerabilities uh common research very famous that came up a couple of years ago we can say and choose a specific process in this case is do W but again we apply the same methodology so we check um processes that perform actually uh queries through the pki infrastructure and blend in with it so perform our post exploitation inside

this context okay the question is is this really UPC safe well of course it depends it depends on the environments and many other variables edarts are complex products okay so we don't know most of the times because we are lucky in this case that elastic publs some rules but again thinking about other products they are like a closed box a black box so we have no idea but anyway this process of course was straightly was straightforward for this but uh the principle that we described before can be applied and you can conduct a better operation okay so that's it for the classification bypass so it's most about blending in okay right going ahead talking about

tampering tampering is something that you can consider but remember it's risky you know it's risky if you can't evade a defense you can try to turn them off um there have been like I think months ago or an year ago uh a threat actor that was actually uh selling this specific vulnerable driver with a tool with it that allows to kill some EDR Solutions like even by passing the RTI tampering mechanisms but again it's risky because you're loading a driver you probably don't have much control over the kernel and it's easy to uh blue screen the machine or makes mistakes and lose the access if you can't turn them off you can just try and compromise their

ability to to report alerts uh an example here might be using firewall apis of Windows in order to fence the communication between the agent and the Tenant okay and trying to stop the alerting mechanism point is is that nowadays most modern ards has a way to alert you if the agent communication with the tenant is not happening so this is something to consider during your operational during your operation actually product tampering requires administrative access okay and most of the times it requires you to do some system modification so watch out and be careful when you modify the system like register keys come objects Etc you can do some sensor tampering in this case it exists on userland because

is where we have more control we you can we can uh attack for example at atw with atw bypasses matching like some functions in memory or API unhooking this is something that is known that have been around for years but is still still effective we left you here some resources and some research then me and Ricardo Ed we attacked a specific product and basically we try to attack it on multiple um points okay just the communication between the tenant and the agent trying to see if there were like some unprotected processes around it that we could exploit and basically basically that's it so again the tampine park is risky part is risky but might be

considered okay I'll hand over the presentation now to recard for the final considerations Ricardo thank you uh one last bit on the tampering side of course there is also the ethical aspect as well because there is a lot of controversy of like oh if you disable a product you're doing red team right and you disable a product then you impede essentially client's ability to detect actual attackers right that might happen at the same time uh so a lot of people don't really love the idea and and things like that so it's not it's not always our first choice but it is nevertheless like a possibility and a threat that you should consider in your threat model so

lack of response as we said initially right uh you know a security Operation Center they're not just tools right they're just people and processes as well involved on it so it might be that something goes wrong with the people or the process maybe the people cannot triage and alerts or maybe the process that they apply is not sufficient to fully eradicate you like this might sound almost obvious but we've we've seen that so many times that you know security ortion Center don't validate the response Playbook or don't train properly the layer one analy to actually respond to to attacks so see there is a bit of irony in the modern uh sock structure where you have you know the

classic three layers so layer one is are the people that are in charge of you know picking up the alerts first and deciding whether that's false positive or not but you know they're also the less experienced analyst so you putting a lot of trust in the hands of people that might not have the same skills as as the other more experienced analyst in the team and usually what we see is a lot of a lot of the times Alerts get CL misclassified as as false positive we've done like an adverse regulation recently where we had to do like a lock bites payload in for initial access which was like a DL side loading of a VMware

binary or something and in the threat report that was initially published by Sentinel one there was like the payload was was launched by a Powers shell right we didn't because we didn't like Powers shell um and so we essentially double clicked on the on the uh vulnerable binary and unloaded our malicious D the analyst they they were good in understanding oh that's maybe something not not great but they saw the they found the report online said oh that was not Lun using powers shell so that must be good then um well it wasn't good uh but luckily like they were also very lucky that analyst with like more experience actually stepped in and say no guys you need to check this again so

of course you know the fact that some alerts might get misclassified it is a concrete possibility also applying response procedures um it is really important and it's also really important when you consider the fact that a lot of U modern attacks are also cloud-based and using a lot of SAS products so we we do have like some stories for example like we had compromise a user with the classic fishing so we had their access token and everything and we did register an application that has like that had Google Drive Right permissions over that person so there was an application running uh with their with their consent that we actually um added ourself right so what did the sock team when they got

notified they just reset the user password and just called it a day uh but we we still had access um and they were not super happy that op but yeah thank God I was not honest uh but no there is another real concrete possibility so just to close um again we gave you like a few different examples and it might have looked a bit disjointed in like over adding user doing up thing it's just an example right so what our suggestion is our thought process is whenever you're doing a rum operation think about all the steps that you're doing but not don't consider steps like oh I need to do a process injection I need to run blood down and stuff like

that think like more granular I need to do like uh beaconing using HTTP I need to do file operations right and and so for for each one of these operation think like can you avoid being logged somehow and if you cannot get cannot avoid that can you maybe blend in or can you turn off some sensors and and and things like that always try to go to the deepest level possible of these when you when you execute them and whilst as I said initially like we're using elastic so you know even in the Lup case yeah we had the rule we could see that mmc.exe was being white listed but that's not the point right it's not the point of

looking what the rule exactly says it is mostly about finding what you know specific event looks like in a generic non-customer specific environment and then trying to blend in with those kind of things um so hopefully that was uh um at least vaguely interesting for you we l some resources to continue studying with with all these topics and you know if you have questions you can stop us after this talk but I think we have a few minutes left for questions if you have any thanks thank

you a one question I'm very sorry I I was hoping for no question I'm K I'm k

k say again sorry back up to [Music] the [Applause] yes you explain usually explaining memes is uh is is interesting acon no I know the m i just no so fud is usually it's fully undetected right it's like an an acronym that a lot of people they they like to use oh uh this this tool is 100% food whatever right it's oh it's AR detected by by every product and so uh yeah it's it is annoying so sorry if that wasn't no problem no problem easy okay GG perfect thank you guys again for having us here you