EPP/EDR - Unhooking Their Protections

Presented at DeepSec 2020 „The Masquerade“, Unknown date/time (Unknown duration).

More and more we see in our penetration tests, that companies do not just rely on the traditional endpoint protection (EPP), instead they began to use additional an EDR to the existing EPP or the use an EPP/EDR combination from different vendors like, Microsoft, CrowdStrike, Endgame etc.. Compared to an EPP, an EDR is not designed for the prevention of malware, but for detection, response and hunting. EDR systems have a high process visibility at the endpoint. This makes it possible to conduct malware analysis based on the monitored behavior. For that, some EPP/EDR products under Windows rely on the technique API-Hooking. API-Hooking is a method to check executed code (via APIs) for malicious content by interception. For this purpose, the EPP/EDR software injects its own .dll into the address memory of a process. In simple terms, the executed code is redirected to the EPP/EDR .dll so that the code can be analyzed for malicious content.

However, Kernel Patch Protection (KPP) aka Patch Guard forces the EPP/EDR software to perform API Hooking in user-mode. This makes it possible to bypass user-mode API-Hooking, by techniques like ntdll.dll mapping or direct system calls.

There are some EDR products which rely heavily on user-mode API-Hooking. Depending on the product we could observe that for example ntdll mapping can have a very heavily impact on the further recognition by the EDR system.

However, testing of different EPP/EDR products also showed that EPP/EDR manufacturers rely not only on user-mode mechanisms, instead the use kernel-mode mechanisms like kernel callbacks. Depending on the product, it may be sufficient in the context of credential dumping to bypass the user-mode component (API-hooking) for successful credential dumping. For other EPP/EDR products, however, it is not sufficient to bypass only the user-mode API-hooking. In order to successfully dump credentials using Direct System Calls, for example, the kernel callbacks registered by device drivers must be removed.


Presenters:

  • Daniel Feichter - Strong-IT Innsbruck
    Daniel Feichter studied industrial engineering and management at MCI in Innsbruck. After successful completion, however, he decided to work in the field of IT security. By the company Strong-IT from Innsbruck he got the opportunity for an IT security internship in 2018 despite being an IT security newcomer. Since then he has found his new professional home in IT-Security and the company Strong-IT. His focus is on Windows Environment Red Teaming and Research. Among other things like the Windows Internals, EOP etc. he is intensively engaged in EPP/EDR systems under Windows OS.

Links:

Similar Presentations: