A newly pioneered technique could render endpoint detection and response (EDR) platforms "blind" by unhooking the user-facing mode of the Windows kernel (NTDLL) from hardware breakpoints. This potentially gives malicious actors the ability to execute any function from within NTDLL and deliver it, without the EDR knowing it, researchers warned.
The Cymulate Offensive Research Group, which discovered what it calls the "Blindside" technique, noted in a
report released Dec. 19 that the injected commands could be used to perform any number of unexpected, unwanted, or malicious operations on a target system. Blindside creates an unhooked process. This means the hooks (which allow one application to monitor another) used by EDR platforms to identify if behaviors are malicious will not be present in the unhooked process.
Because many
EDR solutions rely entirely or heavily on hooks to track behaviors and malicious activities, they would be unable to track the behaviors of the process launched with Blindside, the researchers explained. Mike DeNapoli, director of technical messaging at Cymulate, notes that there are other methods to block hooks, but they depend heavily on cooperation from the operating system. Not so with Blindside. "Blindside leverages hardware operations and can work in circumstances where other methods fail," he explains. DeNapoli also points out that the use of hardware breakpoints for malicious outcomes is not entirely new, explaining that researchers knew various forms of breakpoints can be used to obfuscate against detection within x86 architectures. However, Blindside has a slightly different approach.
"Previous threat methodologies and techniques have focused on the virtualization of a process, or the use of syscalls to accomplish their goal," he says. "Blindside adds the use of specific debugging breakpoints to force a process to launch without hooks, which is what makes it a new technique."
