Why your blue team are your last line of defence
One of the hardest things to communicate to clients sometimes is that an AV (Anti-Virus) or EDR (Endpoint Detection & Response) is not a silver bullet, it is only part of the defensive solution. Try as we might to explain that it will always be possible to bypass, sometimes it is just easier to demonstrate this.
Recently, we were doing some testing for a client who had CrowdStrike installed and a configuration issue that was trivial to exploit with tooling such as Mimikatz. Explaining the significance of the issue and ease of exploitation was met with the all too common “You can’t execute Mimikatz – I have an EDR”.
CrowdStrike is a very capable, defensive solution and if you start prodding LSASS with almost anything, it will understandably have something to say about it. Fortunately for us, we did not need to touch LSASS – we were after the LSA secrets.
The issue was the presence of a Standalone Managed Service Account on a machine and that sMSA was a member of Domain Administrators (thank you BloodHound) for easily spotting that for us!). A local privilege escalation route was determined on the host (thank you winPEAS) and local administrative privileges were obtained.
Now yes, we could do the copying of the registry hives and do the offline processing, but for some reason running SharpHound or winPEAS under CrowdStrike never has the same impact as Mimikatz!
So, we turned to some in house tooling that we use for bypassing security solutions. We open sourced one of the bypass solutions we use internally here, although we didn’t use that particular method this time.
Pass it the appropriate switches such as the log file etc. and away we go.
Some fiddling with the output.
And relay it to the server – domain administrator – thank you very much.
Now this is all great, and we love tooling that goes past whatever the latest next gen AI machine learning blockchain powered new hotness is, but what is the point? Soon enough the loader we use will get fingerprinted (normally after one of these posts as certain vendors really do not lean into assisting research into their platforms), we will get caught and we will have to find another way to do it.
The point is that the Blue Team that were monitoring CrowdStrike in this instance were not aware that anything was happening. No alerts typically mean they have nothing to react to. That means until I trip a defensive product, I can happily bumble my way around helping myself to whatever goodies I want or leaving whatever malware I want running on host.
Alerts should have been raised by an account that was created two years ago, has never logged on before and logged onto a domain controller. Equally, an Active Directory review would have highlighted a list of accounts that were active and had never logged on.
Think about your Blue Team like a security guard, some security guards will sit at a desk and wait for an alarm to go off.
A bad SOC (Security Operations Center) will keep you updated with what the tool tells them and then ask you what you would like to do.
Other security guards will take regular walks around the building, get to know what it looks like, what doors are open and which windows are always closed. Not every door and window may have an alarm on, but by patrolling the premises they get to spot things that are out of place, or suspicious and can investigate.
A good SOC is the same – not only do they patrol and make sure everything is as it should be – they can look for things that are out of place, or unusual.
Good monitoring or bad monitoring?
I cannot stress enough the importance of a layered approach to security, no single security product is going to save you. Below is an example of an opensource C2 framework called Havoc, with none of the evasion techniques enabled calling back very happily to our test rig, sailing past CrowdStrike.
In the above instance, the only thing you can hope for is that the operator of the implant does something obvious that your defensive solution will alert on – maybe dumping LSASS or running some GetSystem or hashdump equivalent?
We would always urge those that have a SOC, to try and make their life a little easier by carrying out regular testing, monitoring your Active Directory, hardening the environment, having well-rehearsed playbooks to respond to these things. They will all help immensely in minimising false positives and maintaining a tight, secure environment. Trust, but verify your solutions too – run exercises on your network to see how the monitoring team reacts.
Getting these basics nailed will improve the security of your network far more than just dropping the latest, shiniest solution on your network.
The point of this is article is not to pick on CrowdStrike here – they are widely considered to be one of the best market leaders in the endpoint protection space:
We are just highlighting the futility of relying on any of these solutions as a panacea for endpoint protection. They are relatively easy to bypass, they are fallible, they do fail. Their only real use is as part of a multi-layered defensive solution and there are many simple wins that could be more effective for your environment than changing your EDR – even if you are running a solution in the bottom left of the quadrant. A lot of those wins are even free to implement with the only cost being time.
If you fancy securing your network at a lower cost - reach out and see if we can help!