App Review AV/EDR challenge

[Andy Ful]

Content source

https://thehackernews.com/2024/12/thn-weekly-recap-top-cybersecurity_0611565081.html

In March and April 2024, I presented a series of videos about bypassing AV solutions:

App Review - The Comodo's challenge.​

App Review - Comodo's challenge part 2.​

App Review - Eset's challenge.​

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.​

App Review - The Zone Alarm challenge.​

App Review - The Emsisoft Enterprise Security challenge.​

App Review - Avast's challenge.

I reported the attack method with all details to any interested AV vendor (Microsoft in the first place). Microsoft documented the method well a few years ago, although not for malicious actions. I discovered it when working on the WHHLight application, which uses custom WDAC policies. The attack method uses the Windows built-in security mechanism, which is why I could bypass all tested security solutions. For security reasons, I did not publish the details of the method. Now, other researchers have published the details:

• WDAC as a Way to Impair Security Defenses — Cybersecurity researchers have devised a new attack technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot. "It makes use of a specially crafted WDAC policy to stop defensive solutions across endpoints and could allow adversaries to easily pivot to new hosts without the burden of security solutions such as EDR," researchers Jonathan Beierle and Logan Goins said. "At a larger scale, if an adversary is able to write Group Policy Objects (GPOs), then they would be able to distribute this policy throughout the domain and systematically stop most, if not all, security solutions on all endpoints in the domain, potentially allowing for the deployment of post-exploitation tooling and/or ransomware."

Edit.
Post updated. I changed the source article and citation.

 

[Bot]

Impressive work on these AV bypassing challenges! It's crucial to keep AV vendors updated about potential vulnerabilities. The discovery about WDAC is especially noteworthy. It's a reminder of how important it is for cybersecurity defenses to stay one step ahead. Thanks for sharing these insights and your video series.

 

[WhiteMouse]

I thought of this attack method when I use SpyNetGirl's method to limit what kernel mode driver can run on my computer. But it's not very useful because I haven't found any ways to run it from standard user.

The only way I could think of is I have physical access to a computer (even with bitlocker), I can put a signed policy that block all AV drivers to EFI partition.

 

[Andy Ful]

But it's not very useful because I haven't found any ways to run it from standard user.

You haven't found it, but SUA was bypassed several times in the past and will be bypassed many times in the future. Anyway, non-enterprise users on SUA may sleep soundly because they are no targets of such attacks. Almost all attacks with UAC bypasses are prepared for Administrator accounts. Some well-known UAC bypasses are still functional against most AVs. One month ago, I successfully used such a bypass against Microsoft Defender, Comodo, and Avast. Microsoft Defender detected the attack and killed the elevated process in a split second, but the attack was slightly faster.

 

[bazang]

But it's not very useful because I haven't found any ways to run it from standard user.

SUA compromise almost always involves a threat agent targeting a business or organization.

UAC can be bypassed on SUA; SUA and UAC are just a speed bump along the threat agent's path to persistence and lateral/vertical pivoting, and ultimate pwn.

Combined/integrated with/packaged with the right exploit or chain of exploits, it could be 100% hidden, virtually undetectable remote code execution and nobody would be the wiser. While you were blissfully using your SpyNetGirl protected SUA, the enemy is within your system and hard at work stealing data, performing reconnaissance, inventorying what is on the network, and exploring pivots.

This is the stuff that 5 million and 10 million Euro exploits are made of. Typically, it is nations that are interested and willing to pay for this class of exploits. However, lately, the drug cartels and terrorist organizations have been actively marketing that they are buying and willing to pay. Just think - drug cartels have more money than some countries' total national operating budgets.

It is a waste of time to think or worry about this sort of stuff unless you are a political or ideological dissident and you are targeted by nation-state threat agents. If you are a political or ideological dissident, then my advice is "Don't do that." Best way to not become a target.

 

[bazang]

In March and April 2024, I presented a series of videos about bypassing AV solutions:

App Review - The Comodo's challenge.​

App Review - Comodo's challenge part 2.​

App Review - Eset's challenge.​

App Review - Microsoft Defender's challenge.​

App Review - Bitdefender's challenge.​

App Review - The Zone Alarm challenge.​

App Review - The Emsisoft Enterprise Security challenge.​

App Review - Avast's challenge.

I reported the attack method with all details to any interested AV vendor (Microsoft in the first place). Microsoft documented the method well a few years ago, although not for malicious actions. I discovered it when working on the WHHLight application, which uses custom WDAC policies. The attack method uses the Windows built-in security mechanism, which is why I could bypass all tested security solutions. For security reasons, I did not publish the method details. Now, other researchers have published the details:



View attachment 287001

Because of the secrecy, I surmised that you had done something more complex, but this is a well know thing even before WDAC.

Threat actors have used GPOs, AppLocker and SRP to block security software. They would complete their attack and then before leaving the targeted information system (e.g. entire organizational network) they would remove their malicious services, clean-up associated attack files, and then finally create a policy of "* = Block" and push it as they exited. Then many systems in the network would get bricked. The point of it all was to very effectively thwart any attempts at forensic analysis (e.g. of data in primary memory [RAM]).

 

[Andy Ful]

Because of the secrecy, I surmised that you had done something more complex, but this is a well know thing even before WDAC.

Yes, the method is generally classified as Impair Defenses, Technique T1562 - Enterprise | MITRE ATT&CK® . However, the attackers rarely used Windows built-in features to impair preventative defenses.

Furthermore, that method has been well-known for many years in medicine. It is called an allergy. I inserted the "allergen" into the Windows system, and the system reaction invalidated some functionality of AVs. Some allergies can kill, and we can translate this to killing AV.

Allergies, also known as allergic diseases, are various conditions caused by hypersensitivity of the immune system to typically harmless substances in the environment.

Allergy - Wikipedia

en.wikipedia.org

Using Windows built-in security for malicious actions is also similar to the HIV ( human immunodeficiency viruses). I hope that AV vendors are better prepared to prevent the "disease".

 

[Victor M]

The full article is here : Weaponizing WDAC: Killing the Dreams of EDR

 

[Andy Ful]

The full article is here : Weaponizing WDAC: Killing the Dreams of EDR

I intentionally skipped the direct link in the OP due to MT Forum rules.

 

[Victor M]

We don't allow publisizing TTP's ? Then us defenders will be blind.

 

[Victor M]

It is part of my job to mitigiate whenever however I can.

 

[Andy Ful]

It is an interesting article. Let the MT staff decide.

 

[WhiteMouse]

Microsoft will enable administrator protection soon and there's no excuse to not run the demo attack from standard account. Everytime I have an idea, I always give defender the best chance to survive (enable as much protection as possible if it doesn't affect usability like HIPS), if I failed, it's my fault and I have to study more.

 

[bazang]

Yes, the method is generally classified as Impair Defenses, Technique T1562 - Enterprise | MITRE ATT&CK® . However, the attackers rarely used Windows built-in features to impair preventative defenses.

Mostly they are disabling Windows and other Microsoft software defenses and any associated logging.

Splunk has rules to detect AppLocker abuse to disable Windows' built-in security. It is used frequently in enterprise and governmental organization deployments. These organizations have very high cybersecurity maturity. So they are the exception and not the rule.

 

[bazang]

Microsoft will enable administrator protection soon and there's no excuse to not run the demo attack from standard account.

This will not protect against certain bypasses.

The entire point of SUA is that the USER is granted restricted permissions and privileges.

SUA provides only marginal protection in the case of certain exploits and against post-exploitation malicious activities.

SUA is equivalent to very small speed bump in the IKEA parking lot.

 

[Sephirothnight]

hello Andy Ful, your videos on the workarounds were very interesting, but the editors who had your files have they reacted since ? have they made updates or improved their detections? Who did something or did they do nothing? Thanks

 

[Andy Ful]

hello Andy Ful, your videos on the workarounds were very interesting, but the editors who had your files have they reacted since ? have they made updates or improved their detections? Who did something or did they do nothing? Thanks

Some vendors kindly thanked me for my hard work. Microsoft suggested that I might work on bypassing the Standard User Account. Some vendors ignored me, so I assumed they already knew that attack vector.
Currently, this attack vector is not a direct threat to non-enterprise users, so I do not feel obliged to test possible improvements. Anyway, I do not exclude such tests in the future.

 

[XylentAntivirus]

Pretty easy to bypass Kaspersky. Can you do Kaspersky in next challenge?

 

[Andy Ful]

Pretty easy to bypass Kaspersky. Can you do Kaspersky in next challenge?

Kaspersky was bypassed in the AV challenge, but I did not make the video. I was in contact with the staff and provided all needed information. I do not plan to make AV challenge tests soon.