“Bypassing endpoint protections” @ BSides London
This week I presented at BSides London. The talk is titled “Layers on layers: bypassing endpoint protection”. The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products – their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there is no barrier left that would prevent from tampering with kernel-based security software.
Particularly, I will show that by enhancing the public exploit for EPATHOBJ vulnerability with a custom kernel payload, it is possible to break many protections in a generic way. It does not help if multiple products are layered up together – if they all depend on kernel integrity, then a single kernel vulnerability (which are plenty on Windows) can result in the compromise.
In this talk, we stack up various Layers of security technologies and then use the custom kernel exploit to ultimately bypass them all. The layers tested for this presentation are: Anti Virus, Host IPS, App Sandboxes, EMET, Kernel Rootkit Detectors and Intel SMEP.
I think the most interesting pieces of the presentation will be another technique to conveniently bypass SMEP and the overview of methods of injecting code into usermode processes from the kernel (all on Windows platform). The slides explain the technique with more details.
P.S: As obvious, no extra effort was needed to bypass AV or EMET as these can’t do much for kernel mode attacks