EDR Bypass: From Zero to Success

[Music] So first of all, thank you so much everyone for coming today. I know you must be very tired. It's the second day of besides Emmonton. Uh speaking of besides Edmonton, uh this is actually my second time here. Uh the first time I got to know this conference is because I think last June on social media. I just saw okay Michael Bowen gonna speaking here. Oh, I was thinking okay cool. I must show up. I gonna attend his talk. This is how I get to know Bides. at that time I wasn't aware besides is such a global conference so thanks to him I got to know this conference uh also thank you for besides committee I think they

are doing really a great job and especially Crystal I think she travels from Calgary and she was helping on during this weekend as well she's amazing at planning and organizing so uh today my talk is mainly about my uh master's capstone uh supervised by Michael Bulling just sit standing over there uh he's my mentor instructor I also used to work for him as well okay I'll today I'm I will walk you through how I approach this topic with limited knowledge and to finally find a way to invade EDR it's about Cisco's product. So before our talk, does anyone in this room work for Cisco? No. No. Great. Okay, cool. Which means I can be a little bit honest

doing my presentation. [Music] Um, so who am I? Uh, I'm currently working as a pen tester with secure net. I just graduated from University of Alberta uh this summer. Uh during my capstone research, I find a bug in Cisco's EDR. So, I got my bug ID and I'm actively involved in women cyber security. Uh got a bunch of certifications but not listed here. This is today's agenda.

So first why endpoints matter? We all know end points matter otherwise none of us would been sitting in this room. So I'll skip it. Uh second how ADR works. So this is a highlevel picture of the EDR systems. In the center we has a uh EDR server which serves as the backbone of the entire architecture. Uh it manages the EDR agents deployed on these endpoints such as mobile phone, laptop, tablet uh coordinating the collection, analysis and uh processing of data. This data also called telemetry which are further uh forwarded to the main EDR server for analysis. Uh we the EDR server has a threat database which holds the updated information about uh cyber threats such as uh indicator of

compromises um malware patterns and we it also use use machine learning for advanced behavioral analysis. So, oh I just want to mention as well the threat database al actively pulls the uh threat intel fees from the cloud and it also provides a web for the administrators to monitor everything. So we have cloud side component and the client sign components. This is a edr critical component. uh we have uh telemetry sensor edr agent. Uh so telemetry every action uh on the system will generate some form of action s from opening a file to creating a new process. Uh this data are called this these are all raw data generated by these endpoints and it's further uh sent

to the EDR agent. The sensor actively collect these activities um such as um yeah we mentioned open new file uh creating a new process and transmit to the ADR agent for analysis. The EDR agent here serves as a middle manager. It uh gathers the telemetry from its virus sensors and then forward uh the telemetry to the main server for advanced behavior analysis. Uh so the relationship between these three components can be concluded as the EDR sensors oh sorry the agent handles the telemetry collected by its virus sensors. Uh the EDR agent has three can perform three actions. It can lock, block or deceive. Deceive means uh the EDR agent tricks the malware think oh it's working but in reality uh it was

being monitored and stopped. Uh as we mentioned earlier, if we combine everything together, the EDR agent deployed on these endpoints uh handles the telemetry from its virus sensors. Uh we have network sensor, kernel sensor, DL hook sensor and file system, external storage sensor. And then the middle manager uh EDR agent will forwards all the telemetry to the EDR main server for uh advanced analysis. We have two types of detections. So there uh we have bridg detection and the robust detection. Uh so brutal detections are designed to catch specific artifact uh such as a simple string or hashbased signature that match known malware. Uh they are very reliable and fast for what they are designed for,

but they're also very fragile because uh signaturebased detections are easily to be invaded. And we also have robust detections. Uh robust detections uh focus on behaviors rather than fixed uh strings or exact fingerprints. Uh they Yes. uh they are often backed by machine learning models trained for the environment. So to sum it up, virtual detections are fast but easy to invade while the robust detections are harder to f uh because they focus on patterns of the malware uh rather than exact fingerprints. Uh there are some key features uh of the EDRS. Realtime monitoring, visibility, instant investig investigation, forensics, integ integration with threat intel, machine learning and behavioral analysis.

So let's talk about bypass techniques. So first we can modify malware. Um this is mainly used against the signaturebased detection. The idea is simple. Uh if a detection relies on a specific hash or signature, even a small change of the code will completely change the hash value. This is why brutal detections are considered fragile. Uh so the malware here is functionally the same but to the edr it looks brand new. Uh second, we can opascate our malware. We make it look so confusing and unreadable so that the EDR systems can't recognize what is really is. Um think of like uh attackers showing up your house disguised as your friends and you let them in but they are not who you

think they are. And third, we can disable the endpoints tools with escalated privileges. Um, and finally, ll. No, I don't mean laugh out loud. I mean living off the land. We can leverage some built-in tools trusted by these systems, which is great. So that we can conduct some malicious activities. So first uh I started I was thinking about what if I just uh term kill the process since every time a program runs it will spawns corresponding processes. So I I just thinking oh what if I just kill the process by opening a task manager but access denied because here uh we don't have enough permissions or privileges to conduct this action. we are not administrators,

we don't have enough privileges. And then I was thinking if I can uninstall the EDR agents just uh opening control panel but also failed because if we look at the right side uh it said cloud dashboard uh when we configuring the EDR agent uh here we enable the connector protection uh so a password is needed to uninstall the EDR agent and uh What about unload the kernel driver? Um we can either use um command prompt or web GUI to locate the EDR kernel driver. Um but access denied here GIA 2 uh is just a regular user not administrators with less priv per permissions privileges. We are not allowed to do this action. And what if take ownership of the

executable? I uh trying to find the uh execute the path of the executable. And if we look at the uh built-in users RX R means read, X means execute. So for builtin users, we only have read and execute permissions. We are not allowed to write which means I can't grant myself with elevated privileges and oh I started to uh look at the hookchain. So what is hookchain? Um technically it allows malware go strictly into the operating systems so that it was not uh intercepted by edrs um for analysis. Uh think of it like a security camera installed on every important floor uh of a building. If someone want to open a door, uh the camera will record it and

uh send an alert to the security guy sitting in the control room. The hook chain here uh acts like an attacker. Uh it either smash the camera or throw a cloth over it so that the security guy can't see what's really happening. This is basically how hookchain does. uh it disable it blinds the ears and the eyes of the ids. So uh malicious activities go unnoticed. In our in my example uh the hookchen is able to inject um this is a benign code to a notepad. Uh yeah but the benign code can be replaced by something malicious. For example, if I further replace the uh malicious code with some reverse show code, but this time it was

immediately blocked. So this method succeeded um with a benign code, but future research is needed to uh invade some when the code is replaced with malicious code. So so far uh we have some failed attempts and some uh and a successful attempt and then we going to talk about what worked in a mo restrictive environment. So before I talk about the uh the techniques I used, I'd like to introduce some uh background. So what is a shell? This one? No. So a shell is a program that exposes an operating system services to a human user or other programs. The show manages the interaction between you and the operating system by prompting you for input. Uh there are different type types of

show. We have command line show, graphic shows and in Linux, Windows Unix we have bash show, we have CLI show, we have Z show and the graphic show uh sits on the top of the the operating system and lets user interacted with in a visual way. So there are some examples of graphic show. Yeah. Now what is a reverse shell? It's a piece of code but uh it establish a connection initiated from the victim machine to the attacker machine. This method usually can bypass firewall because uh normally by default the outbound connections are allowed by default. But if the connection is initiated from the attacker to the victim, it's inbound connections this time normally blocked

by the firewall. And there are also different types of reversal uh based on the network uh protocol used. We have UDP based reversal uh ICMP based reversal TCP uh HTTP based reversal. The first two one are intercepted by in network intrusion detection system while the last one provides no real time interaction. So TCP based reversal as the most commonly used uh it provides real-time communication between attacker and victim. It's more stable and it's ideal for interactive sessions. And we can also based on the type of the show return we have system shows advanced shows such as interpreter the and finally another distinction is whether the show reverse show is encrypted or not. Okay. So let's talk about the fileless

attack work through. Uh this is my methodology. So first I have my payload but I obascate it so that I make it so confusing for the EDR agent to recognize what is really is and then I host my payload uh in my attacker machine. I set up a listener to hear the connections if in the future a connection is initiated from the victim to my attacker's machine. And I transfer this payload from my attacker machine to victim machine by setting up a simple HTTP server. And we and one from the victim machine we fetch our malicious script, malware or other anything else. And we execute the our payload in memory by leveraging living of the land tools.

And if if we are lucky a reverse show is initiated from the victim machine to our attackers listener and then I can have control over the uh remote control over the victim machine. So this is a screenshot as we can see uh the Cisco's edr is running properly uh but it's not blocking it. So um Windows by default will not allow unsigned scripts to run. uh in so in order to simulate what an attacker would do in the real life I did so the first command I temporarily disable this uh execution policy so that I can run my script and then uh the second command I fetch download the string I fetch my malicious payload here it's obascated script and I

use the ex it is an alias for invoke expression It's a native partial commandlet. It's native. It's built in Windows built in the partial. Yeah, we just leverage the living of the land tools and it immediately once it download the script, it's immediately execute it in memory. And here we can see this is my attacker's machine. Uh I set up a net listener. Um here a connection from the victim machine is in is uh successfully connected to my attacker's machine. Uh and I can uh enumerate the host name system info and have remote control over uh this Windows 11 uh victim machine. If we go to cloud dashboard, this action, this outbound connection is actually logged. Okay, the EDR can see

okay there is an outbound connection to the uh remote uh attackers IP but uh since the script is wrong in memory it can it has no visibility to see what's happening in runtime.

Uh it turns out uh nonopuscated payload worked as well. So it's uh more a matter of it's the script is um running everything in memory. It's not touched the disks. So no artifacts are left for the um edrs to analysis to analyze. Uh here are some failed download methods. Um so the first one just manually we click we click and download it and uh we have search YouTube and invoke web request. This the last two are the common methods uh in the powershell to download uh to to download remote uh script or what uh anything else but they are all failed. uh it's they are all detected and uh it said the file was quarantined.

So why traditional methods failed? So all of the three uh write file uh in the disks. So the first one uh if we download something it's immediately downloads to our C slashd download folder and the second and the last one uh are first of all they are commonly blocked heavily signatured and it per it it it write uh the file on the disks. So key takeaways. So why this method work? Why this fileless uh attack work method works? Uh so first we obasate our payload we obuscate making it confusing and leaving of land tools and finally in memory execution. Yeah, there are some references.

Thank you. Any questions? I hope nobody of you going to ask a chat to trying to ask me some questions or trying to dump me. Okay. Yeah. >> Oh, references. Okay. Yeah, sure. >> Yeah, sure. Yeah.

>> Oh, so it's raw memory. There are some memory forensics. I know some volatility. If any of you like do thread hunting or something volatility will conduct some memory forensics. But here maybe for this uh Cisco EDR um oh no uh this EDR [Music] uh it has provides no visibility to see what's a bug. This is why it's a there is a bug. It provides no visibility in the memory at uh when the executable run in runs in runtime. Yeah, but there are some memory forensics tools. A absolutely can uh analyze it if we uh capture this everything in advance. >> Yeah, Pedro. >> How long? >> How long? Uh so I get I got to know this

project since last September. Uh, and then and finish it in January or February. >> Yeah. But >> I I didn't count

>> anymore. Uh it's >> a question about um the initial code that you show on the laptop computer. >> Yeah. >> How did it get in the first place? >> Oh, how did it get in the first place? Um you mean the how I created my malware, my my script or how it transferred to the host? >> How do you trans machine? because it's already bypassed so many steps which have should have been. >> Yes. So um if I go to the previous slide uh this one the invoke web request. Oh the ex. So uh normally I will set up a HTTP server. I have my script in my uh uh attacker machine and I set up a HTTP

server and in my victim machine I will there here is my IP address. This ex this command can fetch my uh malicious script from the remote remotely and it will once it download get download it will execute uh immediately in memory. I get that on machine. >> Oh, you Oh, I Oh, okay. Okay. I use >> Cisco by default firewall will not allow incoming connection only connection. So, but now with this initial code on the machine >> how does this code? So I write my I prepare my code script in Linux in my in Kali in Kali that there is a partial core uh it's a partial core it's it's a Linux version in it's a Linux version so

there these are partial in Windows I have I use a Linux version to write my script to prepare my script so so nothing will be blocked yeah it's because all I prepare everything from my uh in my attacker machine and uh yeah and yeah so this command it can fetch it can fetch remote script and execute in memory if we yeah I don't know if I answer your question or not but if you want to discuss we can afterwards >> if you wanted to get this on my machine today >> uh >> how would you pull that off >> oh okay so this can be conducted with fishing for example fishing And uh okay I finally get sorry um

English is not my first language. So uh you we can so we can conduct some fishing email. There are lots of methods we um red teaming people can tricks you uh send you some fishing email and you click and it will get downloaded. Okay. Thank you for referring. Thank you for help. Okay. Yeah. you try this on other >> um not really because it's at that time this is only the EDR I have access to >> yeah thank you yeah >> so how long did it take >> very quick I think super quick >> yeah yeah yeah I think Um it took less than half a month or a month. Yeah, super quick. And the the their uh instance

response team Yeah. their manager. Yeah. Pretty uh collaborative as well. >> Yeah. >> Yeah. Sure. It's in the very front. Yeah. You need to uh register Cisco uh yet to have access to it. Anymore >> give credit. >> Any more question? >> Cool. Oh, one more.

>> Uh do I explain to you Microsoft?

Yeah, it's a great question. Yeah, maybe I can uh try it with some Yeah, I can I can Yeah, if I can access to their access access to their uh product. Yeah, I can report to them as well. Yeah. Okay, great. No more questions. Wait. Yeah, actually I got a plenty. Maybe you could ask. Oh, maybe I could ask you. Just kidding. Uh, let's see for next time. Thank you everyone.