Updated: Sep 22, 2022
Guest author Assaf Yariv, Software Engineering Team Leader at Morphisec, shares his experience and offers some valuable tips
Cyber security solutions like next generation anti-virus (NGAV), endpoint detection and response (EDR), and endpoint protection platform (EPP) face abuse, tampering, and exploitation to achieve initial access and persistence.
Threat actors know it's often easier to undermine these defenses to get to what they want. But how many teams prioritize anti-tampering in cyber security?
Imagine a small bank in your town. The bank invests in state-of-the-art security equipment, with top quality cameras and sensitive alarms which communicate to a central system. A big, hard biometric lock on the main safe box is secured behind heavy steel doors.
Everything feels very secure until one day—the power shuts down. Suddenly no electricity = no network = no security. Apparently, all you had to do to bypass this state-of-the-art security system is flick the switch that powers the bank’s electricity.
Terminating services time
We've all seen these scenes in movies, but in the cyber security world it’s actually not far from reality. Cyber criminals are always researching, and try to terminate all monitoring tools and security solutions like EDR, NGAV, EPP etc. before they start an attack.
Worryingly, this is not usually very complicated to do. You just need to terminate system processes and services.
How hard is this? If an attacker has already compromised admin privileges, they can run a simple script to kill all processes. If this doesn’t work, they can install a compromised/vulnerable kernel driver to do the work from kernel space. Furthermore, attackers can also use hook tampering methods to avoid monitoring.
To bypass security vendors belonging to the Microsoft Virus Initiative (MVI) and shipped with Early Launch Anti Malware (ELAM) drivers (which allow better protection and isolation of services through Microsoft), threat actors may install a weaker security vendor that competes for the same security category and can be used to eliminate ELAM services.
The Morphisec Labs threat research team has found a number of popular tactics in the wild used by threat actors, one of which is to deploy Malwarebytes sub-components as part of the attack vector.
We can divide tampering techniques into two categories: generic and targeted.
The generic approach to tampering
Modern malware often tries to shut down services in a system before moving to the next step in an attack vector. Windows Service Control Manager (SCM) provides a recovery mechanism that can re-spawn services after termination. But the SCM recovery mechanism by itself is not a super effective remedy for protecting critical services.
The problem is there’s always a time gap—even if very small—in which a service is not running. Even if the service recovers quickly, security systems are usually “stateful” services, so it’s critical to recover the previous “state” of the service for accurate recovery.
A persistent attacker can also use a DOS (Denial Of Service) attack against a system. This runs an infinite loop of terminate/recovery, so the service is busy with its own recovery instead of detection and prevention.
Cybercrime groups acquire popular security software, both free and premium, and research how it works. They often find specific bugs in a product which allow them to terminate it gracefully.
Another way to terminate some security products is to hijack the flow by abusing DLL hijacking vulnerability bugs. One example of this is the Mcafee antivirus vulnerability discovered in 2019.
Unfortunately, security solutions with the greatest market share are more prone to tampering than smaller vendors. An example of this is the recent Indutroyer2 attack against a Ukrainian energy provider. The ESET Research blog found “Before connecting to the targeted devices, the malware terminates a legitimate process that is used in standard daily operations.
In addition to that, it renames this application by adding .MZ to the filename. It does so in order to prevent automatic restart of this legitimate process.”
When red teams evaluate tampering, they usually start with termination from user-mode application, or manually shut down specific processes. The above quote illustrates how attackers are sophisticated and aware of recovery options.
Kernel mode vs. user mode tampering
Much has been written about preventing process termination from user mode applications such as Process Explorer, Task Manager, PowerShell, and Process Hacker.
Process Hacker ships with a signed kernel mode driver, which has elevated access to terminate any user mode process. Unfortunately the Process Hacker driver can be used for malicious purposes. This attack technique is called Bring Your Own Vulnerable Driver.
Not much information exists today about kernel mode tampering. As cybercrime groups become more sophisticated, recent attacks show malicious code is getting to the lower levels of an operating system.
Code which runs in kernel mode is usually trusted code with extensive system permissions. This means it can terminate processes, delete system callbacks, and in some cases, modify the actual behavior of the Windows kernel.
Microsoft introduced its PatchGuard technology a few years ago to deal with kernel hooking. However, it’s still not bulletproof and doesn't protect against tampering with all kernel structures.
Ensuring anti-tampering in cyber security is effective
To assess cyber tools’ anti-tampering effectiveness, some things to look for include whether processes can be terminated by various tools, if the files can be modified or renamed on disk, and if the protection is active in "safe mode" boot.
As mentioned earlier, another important factor to be aware of is—perhaps counter-intuitively—the size of the cybersecurity vendor. Small vendors are significantly less likely to be tampered with than large vendors, while open source EDRs are an easy target.
For example, OpenEDR can easily be terminated with Process Hacker, despite its self-defense feature.
It's important for cyber security vendors to stay alert to preventing tampering with their products. The world would benefit if cybersecurity vendors could collaborate with operating system vendors to standardize a unified anti-tamper solution.
It would enable them to agree on how trusted security solutions can be identified as system critical by an operating system. MITRE also has a couple of very important recommendations for vendors.
*Assaf Yariv is the Software Engineering Team Leader at Morphisec
*This article originally appeared on the Morphisec website, and is republished here with permission. For the complete, original article please click here.