Kernel Karnage: Patching EDR in Kernel Space

SANS Offensive Operations
24 Jan 202326:55

Summary

TLDRIn this cybersecurity talk, the speaker, a professional red teamer, delves into the intricacies of evading Endpoint Detection and Response (EDR) systems by operating in the kernel space. The presentation outlines the evolution from user space to kernel space, discusses kernel callbacks, and introduces 'Interceptor,' a kernel driver designed to integrate with Cobalt Strike for disabling EDRs. The speaker also addresses the limitations and risks of this approach and concludes with defensive strategies to mitigate such attacks.

Takeaways

  • 😀 The speaker, Sander, is a professional red teamer at Inviso and the author of the Colonel Carnage series, focusing on malware development and custom tools.
  • 🛠️ The talk builds upon the previous discussion about tampering with EDRs (Endpoint Detection and Response) and explores the necessity of operating in kernel space for advanced evasion techniques.
  • 💡 The transition from user space to kernel space is explained, highlighting the progression of bypassing EDRs from using user applications to leveraging lower-level APIs like ntdll.
  • 🔒 The introduction of PatchGuard by Microsoft in 2005 was a response to kernel tampering, which led to the development of kernel callbacks as a replacement for system service dispatch table manipulation.
  • 📝 Kernel callbacks function as a notification system in kernel memory, where registered components receive updates on system events, affecting visibility for security solutions like EDRs.
  • 🛡️ The speaker introduces 'Interceptor,' a kernel driver developed to integrate with Cobalt Strike, aiming to disable EDRs in the kernel by manipulating kernel callback lists.
  • 🔍 The process of locating the callback array in kernel memory is discussed, including the use of APIs and the potential for leveraging global variables to simplify the process.
  • ⚔️ Two strategies for dealing with kernel callbacks are presented: completely wiping the callback list or selectively patching out specific EDR-related functions to render them ineffective.
  • 🚫 The challenges of bypassing driver signature enforcement and the potential risks of violating Hyper-V's Code Integrity and causing system instability are discussed.
  • 🛑 The limitations of this approach are acknowledged, including the risk of blue screening the system, the complexity of dealing with HVCI (Hypervisor Code Integrity), and the detection of driver loading and signature enforcement bypasses by EDRs.
  • 🛡️ Defensive measures such as enabling driver signature enforcement, secure boot, and HVCI are recommended for the blue team to mitigate such attacks.

Q & A

  • What is the Colonel Carnage series and who is its author?

    -The Colonel Carnage series is a blog series written by Sander, a professional red teamer at Inviso, who is also known as Cyber SEC on Twitter and online platforms. Sander is an expert in malware development and custom tools.

  • Why is it necessary to operate in Kernel space when dealing with EDRs?

    -Operating in Kernel space is necessary because it allows for more direct control over system processes and can help bypass user space hooks set up by EDRs. Kernel space provides access to lower-level system functions and can be used to intercept and manipulate system calls more effectively.

  • What is the purpose of Patch Guard introduced by Microsoft in 2005?

    -Patch Guard was introduced by Microsoft as a security feature to protect the integrity of the kernel. It detects modifications to critical kernel structures and can cause the system to blue screen if such modifications are found, preventing unauthorized changes that could destabilize the system.

  • How do EDRs maintain visibility in the system after the introduction of Patch Guard?

    -After Patch Guard was introduced, EDRs started using Kernel callbacks as a replacement for the system service dispatch table. These callbacks allow EDRs to receive notifications about system events, maintaining their visibility and ability to monitor and respond to activities within the system.

  • What is Interceptor and how does it integrate with Cobalt Strike?

    -Interceptor is a kernel driver developed by Sander that integrates with Cobalt Strike. It is designed to disable EDRs in the kernel by manipulating kernel callbacks. This allows an attacker to control the kernel driver and evade EDR detection during an engagement.

  • How does Interceptor work to disable EDRs?

    -Interceptor works by locating the kernel callback array in memory and modifying it. It can either wipe the list entirely or selectively patch out specific callbacks related to EDRs, preventing them from receiving notifications and thus making the EDR blind to system activities.

  • What are the challenges and risks associated with using Interceptor or similar tools?

    -Using Interceptor involves risks such as triggering Patch Guard, which can cause system instability or blue screens. Additionally, there is the challenge of evading detection by EDRs, which often monitor for driver loading and signature enforcement bypasses. There is also the potential for violating Hyper-V's code integrity checks.

  • What defensive measures can organizations take to protect against kernel-level attacks?

    -Organizations can enforce driver signature requirements, enable Secure Boot, and use Hyper-V's code integrity features. They should also ensure that EDRs have detection mechanisms in place for kernel drivers and monitor for any suspicious activities or anomalies in driver behavior.

  • How does VBS (Virtualization-Based Security) impact the approach to patching kernel callbacks?

    -VBS creates virtual trust levels that can prevent unauthorized access to kernel memory from user space. When attempting to patch kernel callbacks, VBS can block the operation if it detects that the user space does not have the necessary permissions, even if the kernel's memory permissions have been altered.

  • What are ETW and ETWti, and how do they relate to EDR functionality?

    -ETW (Event Tracing for Windows) is a tracing facility that is commonly used in user space for monitoring system events. ETWti is the kernel-level counterpart, providing similar functionality within the kernel. Both ETW and ETWti can generate input for EDRs, allowing them to detect and respond to various system activities.

  • Can you provide an example of how a red team might use Interceptor in a real-world scenario?

    -In a real-world scenario, a red team with user space access, such as a Cobalt Strike Beacon, might use Interceptor to gain kernel access and disable EDRs. They would deploy a vulnerable driver to bypass driver signature enforcement, load the Interceptor driver, and patch out EDR callbacks to evade detection while performing their operations.

Outlines

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Mindmap

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Keywords

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Highlights

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant

Transcripts

plate

Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.

Améliorer maintenant
Rate This

5.0 / 5 (0 votes)

Étiquettes Connexes
EDR EvasionKernel SpaceCybersecurityMalware DevRed TeamingKernel CallbacksDriver SignaturesVulnerability ExploitsCobalt StrikeInterceptor Tool
Besoin d'un résumé en anglais ?