rEDRoviruses – Whether you’re a AV or whether you’re a EDR, You’re stayin’ alive, stayin’ alive…

Posted on by

EDR software is so hot right now. While AV is mainly focused on badness and silent detections/reputation analysis, the EDR solutions log everything. Sooner or later this ‘everything’ will cause trouble to bad guys and they will act on it. Interestingly, while killing AV doesn’t make that much sense (because it’s so afraid of triggering FPs), the nature and immaturity of EDR (and associated with it an omnipresent problem of dead agents) makes it actually a very easy target…

Such kill-EDR, or at least anti-EDR , or perhaps even just detect-EDR (which already exists) techniques are also important to offensive teams that will surely want to know about the EDR presence and … will try their best to bypass/avoid it…

It’s also important to remember that discussion of anti-EDR is very important for another reason. Most of AV is using anti-tampering technologies that prevent AV from being well… tampered with. EDR should follow these steps closely – otherwise, well… they will be tampered with too. And fundamentally, the more protection and attention is given to the security of EDR – the better. Think of the Project Zero blog that excels in killing bugs in a variety of software ranges – I don’t see any reason why they shouldn’t give it a try with EDR software…

The following is a bunch of ideas that EDR vendors should look into to protect themselves against being shut down:

  • Blocking via Software Restriction Policies
  • Blocking via AppLocker
  • Blocking via Image File Execution Options
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  • Stopping or blocking WMI
    • Many agentless solutions relying on WMI may stop working
  • Disabling Windows Script Host (and VBS/JS) f.ex. via
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
      • solutions using visual basic script will stop working – EDR relying on such a single Registry setting needs to ensure this setting is restored prior to execution of every script
  • Disabling the Powershell
  • Changing ACLs to directories/Registry entries
    • Potentially preventing log writing, config updates, etc.
  • Modification of hosts files
    • Same old, same old…
  • Stopping/disabling services
    • I won’t list service names, but they are easy to find
  • Analysis of kernel drivers of EDR solutions may help in finding new ways to escalate privileges

DeXRAY 1.7 – ccSubSdk files – part 2

Posted on by

I have added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties – at first I noticed that there are many GUID-like values that appear in the files many times and across many files. Then looking at the layout I tried to split the data by using these GUIDs as dividers – this was helpful and led to a better understanding of how these chunks are structured. Some patterns started emerging and in the end the serialization character of the file layout became more apparent. Walking through trial-and-error I put together a raw parser that attempts to make a better sense of the data records.

The tool stores the hexadecimal dumps of the interpreted data in .met files that are now accompanying all decrypted out files for both submission.idx and actual submission files. You will find errors in some of the output files, but atm it’s the best it can do. Work in progress 🙂

The output is tagged using  ‘###’ f.ex.:

### GUID
      21 A3 05 3F B7 43 78 45 93 C8 CD C5 F6 4A 14 9A  !..?.CxE.....J..
09
      22 00 00 00                                      "...

06
      01 00 00 00                                      ....

06
      01 00 00 00                                      ....

07
      13 00 00 00                                      ....

      4D 72 43 6C 65 61 6E 20 53 75 62 6D 69 73 73 69  MrClean Submissi
      6F 6E 00                                         on.

### STRING-A
      MrClean Submission

The following identifiers are now being used:

  • STRING-A – String ANSI
  • STRING-W – String Wide (Unicode-16LE)
  • BLOB – binary blob
  • GUID – 16 bytes long GUID-like data

The latest version of DeXRAY can be found here.