An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors
2. Related Work
2.1. Endpoint Detection and Response Systems
2.2. Advanced Persistent Threats
2.3. Cyber Kill Chain
3. Experimental Setup
- RQ1: Can state-of-the-art EDRs detect common APT attack methods?
- RQ2: Which are the blind spots of state-of-the-art EDRs?
- RQ3: What information is reported by EDRs and which is their significance?
- RQ4: How can one decrease the significance of reported events or even prevent the reporting?
3.1. Attack Vectors
- A .cpl file: A DLL file which can be executed by double-clicking under the context of the rundll32 LOLBINS which can execute code maliciously under its context. The file has been crafted using CPLResourceRunner (https://github.com/rvrsh3ll/CPLResourceRunner accessed on 8 July 2021). To this end, we use a shellcode storage technique using Memory-mapped files (MMF)  and then trigger it using delegates; see Listing 1.
- A legitimate Microsoft (MS) Teams installation that will load a malicious DLL. In this regard, DLL side-loading (https://attack.mitre.org/techniques/T1574/002/ accessed on 8 July 2021) will lead to a self-injection, thus allowing us to “live” under a signed binary. To achieve this, we used the AQUARMOURY-Brownie (https://github.com/slaeryan/AQUARMOURY accessed on 8 July 2021).
- An unsigned PE executable file; from now on referred to as EXE, that will execute process injection using the “Early Bird” technique of AQUARMOURY into werfault.exe. For this, we spoofed the parent of explorer.exe using the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY flag to protect our malware from an unsigned by Microsoft DLL event that is commonly used by EDRs for processes monitoring.
- An HTA file. Once the user visits a harmless HTML page containing an IFrame, he will be redirected and prompted to run an HTML file infused with executable VBS code that will load the .NET code provided in Listing 2 and perform self-injection under the context of mshta.exe.
|Listing 1. Shellcode execution code from CPLResourceRunner.|
3.2. Code Analysis
|Listing 2. Code to allocate space and execute shellcode via EtwpCreateEtwThread.|
3.2.2. EXE File
3.2.3. DLL Sideloading
|Listing 3. Execution of shellcode into a child process with CIG and spoofed PPID via the “EarlyBird” technique using Nt* APIs.|
|Listing 4. Local memory allocation and shellcode execution via CreateThread().|
|Listing 5. Sample direct syscalls in Assembly.|
4. EDR Evaluation
4.1. Carbon Black
4.1.1. Enabled Settings
4.2. CrowdStrike Falcon
4.2.1. Enabled Settings
4.3. ESET PROTECT Enterprise
4.3.1. Enabled Settings
4.4. F-Secure Elements Endpoint Detection and Response
4.5. Kaspersky Endpoint Detection and Response-KEDR
4.5.1. Enabled Settings
4.6. McAfee Endpoint Protection
4.6.1. Enabled Settings
4.7. Sentinel One
4.7.1. Enabled Settings
4.8. Sophos Intercept X with EDR
4.8.1. Enabled Settings
4.9. Symantec Endpoint Protection
4.9.1. Enabled Settings
4.10. Trend Micro Apex One
4.10.1. Enabled Settings
4.11. Windows Defender for Endpoints (ATP)
- PsSetCreateProcessNotifyRoutine(Ex)-Process creation events.
- PsSetCreateThreadNotifyRoutine-Thread creation events.
- PsSetLoadImageNotifyRoutine-Image(DLL/Driver) load events.
- CmRegisterCallback(Ex)-Registry operations.
- ObRegisterCallbacks-Handle operations(Ex: process access events).
- FltRegisterFilter-I/O operations(Ex: file system events).
- Zero out the address of the callback routine from the kernel callback array that stores all the addresses.
- Unregister the callback routine registered by WdFilter.sys.
- Patch the callback routine of WdFilter.sys with a RET(0xc3) instruction or hook it.
- Patch a specific EtwTi function by inserting a RET/0xC3 instruction at the beginning of the function so that it simply returns without executing further. Not KPP-safe, but an attacker may avoid BSOD-ing the target by simply restoring the original state of the function as soon as their objective is accomplished. In theory, Patch Guard may trigger at any random time, but, in practice, there is an extremely low chance that PG will trigger exactly during this extremely short interval.
- Corrupt the EtwTi handle.
- Disable the EtwTi provider.
4.11.1. Enabled Settings
4.12. Aggregated Results
5. Tampering with Telemetry Providers
5.1. Attacking Defender for Endpoints
5.1.1. Manually Patching Callbacks to Load Unsigned Drivers
5.1.2. Manually Patching an ETWTi Function to Dump LSASS without Alerts
5.2. Attacking Sophos Intercept X
Conflicts of Interest
Appendix A. Cobalt Strike Malleable C2 Profile
|Listing A1. Cobalt Strike malleable C2 profile.|
- Forum, W.E. Wild Wide Web Consequences of Digital Fragmentation. Available online: https://reports.weforum.org/global-risks-report-2020/wild-wide-web/ (accessed on 8 July 2021).
- Oltsik, J. 2017: Security Operations Challenges, Priorities, and Strategies. Available online: http://pages.siemplify.co/rs/182-SXA-457/images/ESG-Research-Report.pdf (accessed on 8 July 2021).
- Chuvakin, A. Named: Endpoint Threat Detection & Response. Available online: https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/ (accessed on 8 July 2021).
- Campfield, M. The problem with (most) network detection and response. Netw. Secur. 2020, 2020, 6–9. [Google Scholar] [CrossRef]
- Hassan, W.U.; Bates, A.; Marino, D. Tactical provenance analysis for endpoint detection and response systems. In Proceedings of the 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 18–21 May 2020; pp. 1172–1189. [Google Scholar]
- Chen, P.; Desmet, L.; Huygens, C. A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security; Springer: Berlin/Heidelberg, Germany, 2014; pp. 63–72. [Google Scholar]
- Giura, P.; Wang, W. A Context-Based Detection Framework for Advanced Persistent Threats. In Proceedings of the 2012 International Conference on Cyber Security, Alexandria, VA, USA, 14–16 December 2012; pp. 69–74. [Google Scholar] [CrossRef]
- Sood, A.K.; Enbody, R.J. Targeted Cyberattacks: A Superset of Advanced Persistent Threats. IEEE Secur. Priv. 2013, 11, 54–61. [Google Scholar] [CrossRef]
- Brogi, G.; Tong, V.V.T. Terminaptor: Highlighting advanced persistent threats through information flow tracking. In Proceedings of the 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Larnaca, Cyprus, 21–23 November 2016; pp. 1–5. [Google Scholar]
- Alshamrani, A.; Myneni, S.; Chowdhary, A.; Huang, D. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutorials 2019, 21, 1851–1877. [Google Scholar] [CrossRef]
- Mansfield-Devine, S. Fileless attacks: Compromising targets without malware. Netw. Secur. 2017, 2017, 7–11. [Google Scholar] [CrossRef]
- Campbell, C.; Graeber, M.; Goh, P.; Bayne, J. Living Off The Land Binaries and Scripts. Available online: https://lolbas-project.github.io/ (accessed on 8 July 2021).
- Hutchins, E.M.; Cloppert, M.J.; Amin, R.M. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 2011, 1, 80. [Google Scholar]
- Strom, B.E.; Applebaum, A.; Miller, D.P.; Nickels, K.C.; Pennington, A.G.; Thomas, C.B. Mitre att&ck: Design and philosophy. Tech. Rep. 2018. [Google Scholar]
- Symantec Enterprise. Threat Landscape Trends—Q3 2020. Available online: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/threat-landscape-trends-q3-2020 (accessed on 8 July 2021).
- Microsoft. Memory-Mapped Files. Available online: https://docs.microsoft.com/en-us/dotnet/standard/io/memory-mapped-files (accessed on 8 July 2021).
- Osborne, C. Hackers Exploit Windows Error Reporting Service in New Fileless Attack. Available online: https://www.zdnet.com/article/hackers-exploit-windows-error-reporting-service-in-new-fileless-attack/ (accessed on 8 July 2021).
- Apostolopoulos, T.; Katos, V.; Choo, K.K.R.; Patsakis, C. Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks. Future Gener. Comput. Syst. 2021, 116, 393–405. [Google Scholar] [CrossRef]
- de Plaa, C. Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Available online: https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ (accessed on 8 July 2021).
- Luo, X.; Brody, R.; Seazzu, A.; Burd, S. Social Engineering: The Neglected Human Factor for Information Security Management. Inf. Resour. Manag. J. (IRMJ) 2011, 24, 1–8. [Google Scholar] [CrossRef]
- Metalidou, E.; Marinagi, C.; Trivellas, P.; Eberhagen, N.; Skourlas, C.; Giannakopoulos, G. The human factor of information security: Unintentional damage perspective. Procedia-Soc. Behav. Sci. 2014, 147, 424–428. [Google Scholar] [CrossRef][Green Version]
- Ghafir, I.; Saleem, J.; Hammoudeh, M.; Faour, H.; Prenosil, V.; Jaf, S.; Jabbar, S.; Baker, T. Security threats to critical infrastructure: The human factor. J. Supercomput. 2018, 74, 4986–5002. [Google Scholar] [CrossRef][Green Version]
|ESET PROTECT Enterprise||✗||✗||✓||✓|
|F-Secure Elements Endpoint Detection and Response||✓||✓||✓||✓|
|Kaspersky Endpoint Detection and Response||✗||✗||✗||✓|
|McAfee Endpoint Protection||✗||✗||✓||✓|
|Sophos Intercept X with EDR||✗||✗||✓||-|
|Symantec Endpoint Protection||✓||✗||✓||✓|
|Trend micro Apex One||✓||∘||✓||✓|
|Windows Defender for Endpoints||☆||✗||✗||✓|
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Karantzas, G.; Patsakis, C. An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors. J. Cybersecur. Priv. 2021, 1, 387-421. https://doi.org/10.3390/jcp1030021
Karantzas G, Patsakis C. An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors. Journal of Cybersecurity and Privacy. 2021; 1(3):387-421. https://doi.org/10.3390/jcp1030021Chicago/Turabian Style
Karantzas, George, and Constantinos Patsakis. 2021. "An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors" Journal of Cybersecurity and Privacy 1, no. 3: 387-421. https://doi.org/10.3390/jcp1030021