Pentest – SCRT Team Blog

Blinding EDRs: A deep dive into WFP manipulation

This article complements existing research referenced in the Further Reading section.

Endpoint Detection and Response (EDR) solutions are essential to modern defensive architectures. Their abilities to monitor, block, and respond to threats are important for containment and remediation. However, like all complex systems, EDRs rely on components that can be turned against them. One of those components is the Windows Filtering Platform (WFP), which many EDRs leverage for network traffic control and endpoint isolation.

In this article, we explore how WFP can be manipulated to either block an EDR’s connection to its cloud backend or bypass its isolation mechanisms. Both cases can effectively “blind” the EDR or reduce its effectiveness.

We observed that certain EDRs show reduced detection and response capabilities when disconnected from their cloud infrastructure. This prompted us to investigate how WFP configuration can affect an EDR’s cloud communication. During testing, we found that the same mechanism underpins the product’s “isolation” mode, meaning that manipulating WFP rules can also be leveraged to bypass its network containment features.

Hijacking the Windows “MareBackup” Scheduled Task for Privilege Escalation

The built-in “MareBackup” scheduled task is susceptible to a trivial executable search order hijacking, which can be abused by a low-privileged user to gain SYSTEM privileges whenever a vulnerable folder is prepended to the system’s PATH environment variable (instead of being appended).

Reinventing PowerShell in C/C++

I like PowerShell, I like it a lot! I like its versatility, its ease of use, its integration with the Windows operating system, but it also has a few features, such as AMSI, CLM, and other logging capabilities, that slow it down. You know, I’m thinking about the performance gain here. I believe my scripts could run a lot faster without them.

Jokes aside, I know that a lot has already been done around this subject, but I wanted to approach the problem in a slightly different way than the existing projects. So, I worked on a way to instantiate a full-blown PowerShell console using only native code, which allowed me to do some “cleaning” at the same time.

Exploiting stale ADIDNS entries

The correct IP address is sometimes all you need to exploit a remote target.

Apache Solr 8.3.1 RCE from exposed administration interface

Back in 2020, during an external pentest, I stumbled upon a visible Solr administration panel. With nothing else of interest, I focused on this specific application to test what was hidden underneath.

Bypassing LSA Protection in Userland

In 2018, James Forshaw published an article in which he briefly mentioned a trick that could be used to inject arbitrary code into a PPL as an administrator. However, I feel like this post did not get the attention it deserved as it literally described a potential Userland exploit for bypassing PPL (which includes LSA Protection).

State of Pentesting 2020

To many people, pentesting (or hacking in a broader sense) is a dark art mastered by some and poorly understood by most. It has evolved quite substantially throughout the years, guided by new vulnerabilities, changing behaviours and maybe most importantly the development and release of new tools, be they offensive or defensive.

Continuous Pentesting

At SCRT, we have been performing penetration tests for nearly 20 years now and have always tried to improve our methodologies to match client expectations and deliver the most accurate and useful results from each test we undertake.

Metasploit psexec resurrect

What a joy !

I just received tonight this nice email from github :

Meatballs1 merged commit 1a3b319 into rapid7:master from agix:refreshed_service_payloads

My 2 years old pull request to metasploit was just accepted !

Le framework metasploit – 2/2

Ce post fait suite à la publication de la première partie de l’article sur le framework metasploit publié dans le numéro 52 du magasine MISC par Julien Bachmann et Nicolas Oberli.