Scribd
Upload
3 views

DEFCON30-DemoLabs-EDR_detection_mechanisms_and_bypass_techniques_with_EDRSandblast-v1.0

The document discusses EDRSandblast, a tool designed to detect and bypass EDR (Endpoint Detection and Response) mechanisms on Windows endpoints. It outlines how EDRs monitor processes and memory operations, and details various techniques for bypassing these monitoring methods, including manipulating kernel memory and removing callback routines. The presentation also highlights new features and capabilities of EDRSandblast, emphasizing its utility in red-team engagements and penetration testing.

Uploaded by

alan adam
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

DEFCON30-DemoLabs-EDR_detection_mechanisms_and_bypass_techniques_with_EDRSandblast-v1.0

The document discusses EDRSandblast, a tool designed to detect and bypass EDR (Endpoint Detection and Response) mechanisms on Windows endpoints. It outlines how EDRs monitor processes and memory operations, and details various techniques for bypassing these monitoring methods, including manipulating kernel memory and removing callback routines. The presentation also highlights new features and capabilities of EDRSandblast, emphasizing its utility in red-team engagements and penetration testing.

Uploaded by

alan adam
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

DEF CON 30 – DemoLabs

EDR detection mechanisms and bypass


techniques with EDRSandBlast

Maxime MEIGNAN (th3m4ks) & Thomas DIOT (_Qazeer)

© WAVESTONE 1
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Hi !

Who are we ? Why EDRSandblast ?


/ Thomas Diot (_Qazeer) / EDRs are more and more
prevalent in corporate
/ Maxime Meignan (th3m4ks) environments
@ Wavestone / EDRs may need to be bypassed in
red-team engagements, as well
as during pentests

© WAVESTONE 2
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Hi !

github.com/wavestone-cdt/EDRSandblast

What is EDRSandblast ?
/ Tool written in C
/ Detects common monitoring techniques used by EDR software on
Windows endpoints
/ Implements techniques to bypass them (both user-land and kernel-land)
/ Exists as a CLI tool and as a static library to include in another project

© WAVESTONE 3
/ 01 So you want to dump LSASS ?

© WAVESTONE 4
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

With the tool of your choice


© WAVESTONE 5
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

What happens classically during a process dumping

Tool writes the


Tool opens the Tool reads each
Tool starts results in a
LSASS process memory range
minidump file

Simple question : which action will the EDR spot ?

> PE is loaded Calls to Calls to


> Process is created Call to OpenProcess() ReadProcessMemory() CreateFile()and
> Main thread is started WriteFile()

© WAVESTONE 6
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Easy answer: the EDR saw you at every step

© WAVESTONE 7
How come the EDR knows everything ?

Tool starts

> PE is loaded
> Process is created
> Main thread is started

• EDR registered callback functions with


PsSet{CreateProcess,CreateThread,LoadImage}NotifyRoutine()
• EDR’s driver is notified by the kernel at each process creation, thread creation, or PE
loading (executable, library, driver)

© WAVESTONE 8
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Kernel notify routine callbacks allow EDRs to be notified of process or thread


creation and image loading

⁄ The Kernel notify routine callbacks are added through documented APIs to define driver-
supplied callback routines.
The callbacks routines are then stored in undocumented arrays in kernel memory:
PspCreateProcessNotifyRoutine, PspCreateThreadNotifyRoutine, and PspLoadImageNotifyRoutine

⁄ The callback routines are then called upon the occurrence of their associated system
events.

Prototypes the Kernel notify routine callbacks must follow

© WAVESTONE 9
Demo

© WAVESTONE 10
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

How come the EDR knows everything ?

Tool starts

> PE is loaded
> Process is created
> Main thread is started

• Using these notifications, EDR may also insert its own libraries inside each process
memory space before it starts

© WAVESTONE 11
Demo

© WAVESTONE 12
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

How come the EDR knows everything ?

Tool opens the


LSASS process

Call to OpenProcess()

• EDR registered callback functions with ObRegisterCallbacks()


• EDR’s driver is notified by the kernel at each handle creation or duplication on threads
or processes
• EDR can monitor OpenProcess()calls and even block the handle opening

© WAVESTONE 13
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

ObRegisterCallbacks allows EDRs to be notified of handle operations by


processes and threads

⁄ The Kernel Object callbacks are added through a documented API to define driver-supplied
ObjectPreCallback and ObjectPostCallback routines.
The callbacks routines are then stored in an undocumented doubly linked list, with no
symbols.

⁄ The callback routines are then called when or after a process or thread make a handle
operation.

Prototypes the Kernel ObjectPreCallback and ObjectPostCallback routines must follow

The OB_PRE_OPERATION_INFORMATION and OB_POST_OPERATION_INFORMATION contain


information about the operation and notably:
▪ The target of the handle operation
▪ The desired / granted access (as an ACCESS_MASK)

© WAVESTONE 14
Demo

© WAVESTONE 15
How come the EDR knows everything ?

Tool reads each


memory range

Calls to
ReadProcessMemory()

• EDR subscribed to a special event provider called ETW Threat Intelligence, reserved to
security products (signed as « Early-Launch-Antimalware »)
• This provider resides in kernel memory and cannot be altered from userland
• Calling certain kernel functions (ex. MiReadWriteVirtualMemory) will generate events
available for the EDR to analyze

© WAVESTONE 16
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

EDRs can subscribe to the ETW Microsoft-Windows-Threat-Intelligence provider


to receive telemetry on Windows API usage from the kernel

Example of a call to the ETWTI logging function in


nt!MiReadWriteVirtualMemory

List of ETW TI functions in a recent Windows build

Example an event fields generated by EtwTiLogReadWriteVm for virtual memory


read operations

© WAVESTONE 17
How come the EDR knows everything ?

Tool writes the


results in a
minidump file

Calls to
CreateFile()and
WriteFile()

• EDR registered a minifilter driver with FltRegisterFilter()


• This driver will be called each time an I/O is performed on the file-system
• This allow the EDR to intercept file creations and scan their content

© WAVESTONE 18
How come the EDR knows everything ?

Tool writes the


Tool opens the Tool reads each
results in a
LSASS process memory range
minidump file

Call to Call to Calls to


OpenProcess() ReadProcessMemory() CreateFile()/WriteFile()

• EDR loaded its own library at process start, remember ?


• The library installed hooks on all interesting userland functions for monitoring purposes
• At each (naive) call to a monitored function, the EDR will inspect arguments or return
values to detect « malicious actions »

© WAVESTONE 19
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Example of a hook installed by the EDR

Example of a hook in the ntdll.NtReadVirtualMemory function introduced by an EDR

© WAVESTONE 20
/ 02 How to bypass these monitoring techniques

© WAVESTONE 21
Hooks are detected and removed by leveraging on-disk DLLs

Detecting hooks

For all loaded DLLs of a process, the content on disk is compared to the one in memory. Every
difference found in a code section is a potential hook.

Removing hooks

Instructions overwritten by hooks are restored using the on-disk content. Page containing the
instructions is temporarily set to be writable using NtProtectVirtualMemory.
However, this function is probably hooked itself by the EDR.

© WAVESTONE 22
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Multiple techniques are implemented to get an unmonitored call to any hooked


function, like NtProtectVirtualMemory

Construct an unhooked NtProtectVirtualMemory by allocating an


1 executable trampoline jumping over the hook

Search and use an existing trampoline allocated by the EDR itself to get
2 an unhooked version of NtProtectVirtualMemory

Load an additional version of ntdll library into memory and use the
3 NtProtectVirtualMemory from this library

4 Use a direct syscall to call NtProtectVirtualMemory

© WAVESTONE 23
Demo

© WAVESTONE 24
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

Removing Kernel-land monitoring requires to be able and to know where to


write in the kernel memory

Reading / writing kernel memory Knowing where to write

⁄ A driver can be leveraged to access the kernel ⁄ Global variables’ offsets and fields offsets in
memory as they share the same memory structures are leveraged by EDRSanblast to know
address space. where to write (instead of relying on the search of
memory patterns).
⁄ Since the introduction of Driver Signature
Enforcement (DSE), new drivers (post 07/2015) ⁄ Known offsets allow more stability and reduce
must be certified by Microsoft Windows Hardware the risk of BSOD.
Quality Labs (WHQL).
⁄ The offsets can be:
⁄ A legitimate and WHQL-certified but vulnerable
▪ Passed in a CSV file, with 450+ versions of
driver can be exploited to obtain arbitrary read /
the Windows kernel supported to date
write of kernel memory primitives.
▪ Automatically recovered, if the endpoint
has Internet connectivity, by downloading
the .pdb (from MS symbol server) associated
with the targeted ntoskrnl version

© WAVESTONE 25
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

EDRSanblast enumerates the routines registered with PsSet*NotifyRoutine or


ObRegisterCallbacks and remove any callback routine linked to a predefined list
of EDR drivers
Bypassing notify routine callbacks

Use offsets to the PspCreateProcessNotifyRoutine, PspCreateThreadNotifyRoutine, and


PspLoadImageNotifyRoutine arrays to iterate on the callbacks arrays and remove all
callback functions pointing to an EDR driver memory space.

Bypassing object callbacks

Uses offsets to the PsProcessType and PsThreadType global variables (_OBJECT_TYPE*


structures) and the CallbackList field offset in theses structures to retrieve the head of the
ObRegisterCallbacks linked lists.

Both lists are then walked and the PreOperation and PostOperation fields of the
undocumented structure of each item are analyzed to identify if the callbacks belong to an
EDR driver and to disable the callback, using the Enabled field.

The undocumented structure has been reversed and was constant from Windows 10 versions
10240 (July 2015) to 22000.
© WAVESTONE 26
Demo

© WAVESTONE 27
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

The ETW Microsoft-Windows-Threat-Intelligence provider


can be disabled system-wide through a kernel arbitrary RW primitive

⁄ Patching a process memory to disable user-land ETW loggers (for instance by patching
ntdll!EtwEventWrite) will not impact the ETW TI provider.

As can sometimes be incorrectly stated, process memory patching does not "Disable Event
Tracing for Windows".

⁄ Disabling the ETW TI provider with a kernel memory read/write primitive is simply a
matter of patching a value in the _ETW_GUID_ENTRY entry representing the ETW
TI provider in memory.

© WAVESTONE 28
Demo

© WAVESTONE 29
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

github.com/wavestone-cdt/EDRSandblast
The vulnerable RTCore64.sys driver can be retrieved at:

https://tinyurl.com/Demo-RTCore64

Quick usage
EDRSandblast.exe <audit | dump | cmd | credguard | firewall> [--usermode] [--kernelmode]

Options

© WAVESTONE 30
New features published this morning!

/ Object callbacks detection and removal

/ Firewalling of EDR components to block telemetry

/ Downloading and parsing of the ntoskrnl PDB at runtime for offsets retrieval

/ Refactoring of the kernel read/write primitives making the support of a new vulnerable driver
simpler to implement

/ Support of the Dell vulnerable driver DBUtil_2_3.sys

/ Creation of a simple API to use EDRSandblast as a static library

/ Implementation of a function that returns a “safe” version of a hooked Nt* function

/ Implementation of an equivalent of MiniDumpWriteDump with only Nt* functions


(“syscalls”)

© WAVESTONE 31
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

EDRSanblast can now be imported as a static library in your project to easily


add EDR detection and bypasses capabilities

Example of a simple LSASS dumper program that uses the EDRSandblast API

© WAVESTONE 32
Any Questions,
Suggestions,
Ideas?

© WAVESTONE 33
/ 04 Annexes

© WAVESTONE 34
DEF CON 30 – DEMOLABS - EDR DETECTION MECHANISMS AND BYPASS TECHNIQUES WITH EDRSANDBLAST

The introduction of PatchGuard, to protects the Windows x64 kernel,


forced security product vendors to adapt their detection mechanisms

⁄ PatchGuard, also known as Kernel Patch Protection (KPP), is a protection mechanism for
the Windows (x64) kernel memory to prevent illegitimate modifications of kernel
memory.

If an anormal modification is detected, PatchGuard generates a "Bug Check" (also known


as "Blue Screen of Death").

No more interceptions of syscalls via modifications


of the System Service Descriptor Table (SSDT) as
the SSDT is a PatchGuard protected structure

Security products developers (and rootkits) had to


rethink their monitoring mechanisms on 64-bit
Windows OS.

© WAVESTONE 35

You might also like