Bypassing Sophos Endpoint Protection and Intercept X

Nice demo showing a variety of tactics....

We have found a number of similar videos showing up on youtube and other commercial sharing sites where in the past most of this stuff circulated in more nefarious corners of the internet. 

On some of what was shown in the video and what we already do to guard against these tactics and some info on what is coming. :)

- Use of social engineering and a cloned site to trick the user into establishing a session to the adversary - These are best defended by endpoint advanced feature called Web Protection. Web Protect will prevent browsing to known malware delivery sites. In this example the site is internal to there test environment and not on a known malware delivery list.

- Use of Code Cave techniques in Shelter IV - Detection of code cave utilization was recently improved in the endpoint standard and advanced and updates have already been issued. We are seeing an uptick in the use of backdoor factory, powershell empire and other code cave tools including Shelter.  Also this summer Intercept X will specifically target code cave utilization, the early access program for that will be coming out in about a month or two.

- Use of powershell - You can block that already with application control, this is part of the endpoint advanced product and has been available for some time, but requires the administrator to enable the detection of powershell usage as often developers and IT staff need powershell for legitimate reasons.

- Mertrepter migration - Most migration uses reflective DLL loading, already part of Intercept X, additional process migration techniques exist and this summers Early Access Program will strengthen the process migration protections and will guard against what was shown in this video, as well as most of the other techniques we see in active use.

- Credential Theft - The use of hashdump, mimikatz and the like is not surprising and was not included in the initial Intercept X release. Credential theft prevention is included in this summers update to intercept X.

- Data exfiltration - So now on the box as a privileged user the adversary is taking a screen shot of sensitive data. I sure hope the end user would notice something strange is happening on their device.  With the endpoint you can turn on Data Loss Prevention to prevent many other types of data exfiltration (Email, Cloud uploads etc)

- Key stroke logging - With Intercept X we have looked at keystroke encryption technology, and have a prototype that we do not want to deploy yet as it can cause problems for some keystroke expansion tools. I do not see us adding the keystroke protection in the short term, but all the comms going into and out of this box may trigger a Command and Control detection event if the IP being communicated with is a suspect C2 site.

In summary, I expect that these types of videos will be more common as we close all the other avenues of attack for adversaries and they scramble to find ways around what we have developed.  You will notice that they did not attempt any of the techniques we have already shut them out of.   

Nice demo showing a variety of tactics....

We have found a number of similar videos showing up on youtube and other commercial sharing sites where in the past most of this stuff circulated in more nefarious corners of the internet. 

On some of what was shown in the video and what we already do to guard against these tactics and some info on what is coming. :)

- Use of social engineering and a cloned site to trick the user into establishing a session to the adversary - These are best defended by endpoint advanced feature called Web Protection. Web Protect will prevent browsing to known malware delivery sites. In this example the site is internal to there test environment and not on a known malware delivery list.

- Use of Code Cave techniques in Shelter IV - Detection of code cave utilization was recently improved in the endpoint standard and advanced and updates have already been issued. We are seeing an uptick in the use of backdoor factory, powershell empire and other code cave tools including Shelter.  Also this summer Intercept X will specifically target code cave utilization, the early access program for that will be coming out in about a month or two.

- Use of powershell - You can block that already with application control, this is part of the endpoint advanced product and has been available for some time, but requires the administrator to enable the detection of powershell usage as often developers and IT staff need powershell for legitimate reasons.

- Mertrepter migration - Most migration uses reflective DLL loading, already part of Intercept X, additional process migration techniques exist and this summers Early Access Program will strengthen the process migration protections and will guard against what was shown in this video, as well as most of the other techniques we see in active use.

- Credential Theft - The use of hashdump, mimikatz and the like is not surprising and was not included in the initial Intercept X release. Credential theft prevention is included in this summers update to intercept X.

- Data exfiltration - So now on the box as a privileged user the adversary is taking a screen shot of sensitive data. I sure hope the end user would notice something strange is happening on their device.  With the endpoint you can turn on Data Loss Prevention to prevent many other types of data exfiltration (Email, Cloud uploads etc)

- Key stroke logging - With Intercept X we have looked at keystroke encryption technology, and have a prototype that we do not want to deploy yet as it can cause problems for some keystroke expansion tools. I do not see us adding the keystroke protection in the short term, but all the comms going into and out of this box may trigger a Command and Control detection event if the IP being communicated with is a suspect C2 site.

In summary, I expect that these types of videos will be more common as we close all the other avenues of attack for adversaries and they scramble to find ways around what we have developed.  You will notice that they did not attempt any of the techniques we have already shut them out of.