![]() ![]()
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. Adversarial simulation exercises will also allow you to train and assess your staff by providing realistic experience in handling active cyber incidents. These exercises mimic the actions of a true attacker, helping to identify the security gaps attackers are most likely to exploit. your organization can work towards shrinking the attack surface available for an attacker to take advantage of.Ī great way to validate the effectiveness of your organization’s security program is to conduct adversarial simulation exercises. Through a combination of host and network-based protections, comprehensive and responsive alerting, following best practices, training, etc. While this may not seem like much, EDR solutions still play a critical role in taking a layered approach to a more secure environment. EDR SolutionsĮDR solutions in their current state should not be thought of as effective means to prevent or detect an attacker that is of moderate or high skill level.Īt their best, EDR solutions should only be expected to be effective against known tools, techniques, and procedures with no bypass techniques applied. Using this technique, we were able to complete the rest of the assessment using only legacy systems that ran Symantec Endpoint Protection and use any known malicious tool that we wanted. This will leave Symantec Endpoint Protection temporarily disabled and provide an attacker plenty of time to execute TTPs before it attempts to re-enable itself: However, Symantec Endpoint Protection will stop attempting to restart the ccSvcHst.exe process for several minutes if the process is killed multiple times in a row. To give Symantec Endpoint Protection some credit, it has some form of tamper protection capabilities as it will try to restart the ccSvcHst.exe process almost immediately after the process is killed. An attacker with Local Administrator credentials, remote access, and a single command can disable Symantec Endpoint Protection by killing the process ccSvcHst.exe. ![]() ![]() In the case of Symantec Endpoint Protection, their implementation of tamper protections is a bit lacking. HOW TO DISABLE SYMANTEC ENDPOINT PROTECTION ON BOOT FULLI emphasize the term typically because modern EDR solutions should have built-in tamper protection technologies that prevent an attacker from disabling the security product, despite an attacker having Local Administrator access or full control over a system. Tamper ProtectionĪn attacker with Local Administrator access to a system can typically perform any action they want on that system, such as performing sensitive operating system-related actions or disabling host-based security products as described in this Cylance post. Specifically, the compromised account credentials provided remote administrative access to hosts running legacy operating systems that used Symantec Endpoint Protection, which is un/fortunately easy to disable with Local Administrator access.Īccess to legacy systems running Symantec Endpoint Protection allowed us to continue the Red Team engagement without having to further interact with CrowdStrike Falcon. HOW TO DISABLE SYMANTEC ENDPOINT PROTECTION ON BOOT PASSWORDThe password guessing attacks led to the compromise of credentials for an account that had Local Administrator privileges over a limited number of systems in the environment. Luckily, CrowdStrike Falcon provided enough wiggle room that we were able to use tools to perform password guessing attacks against domain user accounts. HOW TO DISABLE SYMANTEC ENDPOINT PROTECTION ON BOOT HOW TOOur progress was affected enough that it forced us to focus on how to bypass CrowdStrike, rather than focusing on arguably more important aspects of the engagement such as identifying security misconfigurations and/or gaps in alerting and response. CrowdStrike Falcon gave us a difficult time by preventing several tools, techniques, and procedures (TTPs) from working that we had previous success with on prior engagements in terms of evading CrowdStrike Falcon. The beginning of this engagement was particularly frustrating as the client used CrowdStrike Falcon for the primary EDR solution in their environment. In this edition of Bypassing Defenses, we’ll highlight how we were able to bypass the Endpoint Detection and Response (EDR) solution Symantec Endpoint Protection on a recent Red Team engagement, enabling the execution of known malicious tools without detection or prevention. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |