Bypassing EPP — Chapter 3
Evading endpoint security requires several steps and leverages numerous tools that allow to carry out ample sophisticated attacks, on larger scales, and considerably faster. The results depend certainly on the skills of the invader, but also on the scope and the time allocated to each analysis step. The cyber kill chain is generally common by all, but relies on many tools to implement it. Some only expose the weaknesses or provide an overview of the network at a very specific point in time, but, the added value resides in the ability to integrate these different kits and make them interact with each other.
There are various tools to assist in here: From traceroute for network mapping, port scanning with nmap, OpenVAS for vulnerability management, to the use of Metasploit which is truly the most widely used penetration testing framework in the world that automates large amounts of tedious tasks.
Other set includes Burp Suite for Web Application Pentesting, Wireshark as network protocol analyzer, Hydra for raw online password forcing, Owasp-zap to detect vulnerabilities in web applications, Sqlmap to exploit SQL injection vulnerabilities.
After leveraging the techniques above to invade a certain system, the post exploitation process is increasing in complexity due to protection controls such as: IPS, NDR, and EDR specifically.
This step-by-step guide illustrates endpoint evasion, in post exploitation phases, using Shellter that has proved to be the first dynamic infector for PE (Portable Executable) file format of Windows 32-bit applications.
Shellter is capable of re-encoding any native 32-bit standalone Windows application. Since we are trying to avoid AV detection, we need avoid anything that might look suspicious to AV software such as packed applications or applications that have more than one section containing executable code.
We used Shellter to encode many small “.exe” program files like “cpuz.exe”, “google.exe”; we tried even naming a small file as the same name of the EDR “EDR.exe”.
At this stage, the EDR blocked all the exploits and the threats; we can see different software encoded with different methods, all of them got blocked and quarantined (Figure 2).
To sidestep that, we used Shellter to encode the EDR Installation Software “EDRUnifiedSetup.exe” embedding inside of it a payload permitting to access the machine.
Figure 3 highlights Metasploit exploit and the options needed to attack the victim machine and Figure 4 shows the reverse TCP Handler started.
After running the “EDRUnifiedSetup .exe” file on the victim machine we got a shell. The EDR solution did not detect it!
As we can see, we got a full admin access into the machine.
In order to maintain access, we added a second user on the machine.
The new user ‘Test’ with a password has been added to the victim system.
Lateral Movement using PsExec
We have tried also to gain a shell access from an external machine using a software called “PsExec” and we succeeded!
PsExec is a portable tool from Microsoft that allows you to run processes remotely using the credentials of any user. You can use PsExec not only to manage processes on the remote computer, but also to redirect the console output of an application to your local computer, making the process appear to be running locally.
Several system commands can be executed from psexec session. When we escalate privileges, we have full authority on the system, even though it is an unauthorized system access. We can now change, delete create new malicious files, temper with system-wide settings, disclose confidential information, etc.
The EDR did not detect any malicious activity; we have gained access easily to the system in an easy way without any restriction, and conducted seamless privilege escalation. Hence, behavioral analysis is still lacking in the EDR’s arsenal.
To end, the volume of online attacks has been growing for years, but lately we have seen a notable increase in certain categories stating that almost 70% of outbreaks pass through terminals: laptops, workstations, mobile devices, etc. Endpoints protection are still wide-open to attacks despite tech advancements and major malware breaches are most likely predicted to occur in the next few years.
If you liked this article, you may also like:
Bypassing EPP — Chapter 1
Cybersecurity is not just one operation that would be always threatened. Cybersecurity is a continuous process, which…