With EDR (Extended Detection and Response) becoming more necessary and common, it begs the question of what tactics and techniques are evading these protections. ProCircular recently conducted a penetration test involving evasion methods that did just that by successfully bypassing EDR protections by leveraging lay-of-the-land tools and incident response techniques. Our objective was to achieve full domain compromise within the targeted network, demonstrating the vulnerabilities and potential weaknesses that need to be addressed for robust cybersecurity. A walkthrough of the attack can be examined below.
- Network Poisoning and Authentication Hash Capture: The penetration test began by deploying ProCircular's CyberBlock device within the internal network of the client, simulating an assumed breach scenario. Through legacy name resolution protocols and IPv6 manipulation, ProCircular executed a network poisoning attack to intercept and forward traffic between poisoned computers, allowing for the capture of NTLMv2 authentication hashes and SMB authentication traffic.
- Offline Password Cracking and SMB Authentication Relay: ProCircular extracted NTLMv2 authentication hashes from the captured data and employed offline password-cracking techniques to uncover clear-text passwords. Additionally, by relaying the SMB authentication traffic, ProCircular impersonated a user with compromised credentials, gaining access to other hosts within the network where SMB signing was not enabled.
- Enumeration and Credential Discovery: Exploiting the compromised user's privileges, ProCircular utilized various tools to enumerate the client's network, gathering information on users, groups, SMB shares, computers, and Active Directory certificate configurations. With the help of the MANSPIDER tool, sensitive files containing keywords and extensions associated with credentials were discovered.
- Hardcoded Credential Extraction: ProCircular developed a Python script to identify and isolate files containing hardcoded credentials. Through this process, several configuration files scattered across the network revealed significant credentials. Notably, a service account was identified, providing limited local administrative privileges on two machines.
- Discovery of High-Privileged Accounts: Through continued enumeration, ProCircular discovered a second account with local administrator privileges on seven domain computers. Further exploration led to the identification of a higher-privileged service account logged into a compromised host.
- Evasion Techniques and Extraction of Cleartext Passwords: To evade XDR protections, ProCircular utilized the privileges of a compromised user to establish RDP connections and SMB connections using Impacket's smbclient.py. The KAPE tool, a trusted Windows artifact parser and extractor, was uploaded to the host, allowing the extraction of registry hive information. SecretsDump, another Impacket tool, facilitated the extraction of cleartext passwords.
- Domain Administrator Account Acquisition: With administrator privileges on 165 hosts from extracted credentials using KAPE, ProCircular continued the hunt for a domain administrator account. Eventually, a domain administrator was found logged into one of the 165 compromised hosts. The same process of uploading KAPE and extracting registry hive files was repeated, leading to the extraction of the domain administrator's cleartext password.
- Exploiting Domain Controller and Hash Acquisition: Leveraging the domain administrator privileges, ProCircular accessed the client's domain controller using RDP. Once inside, the NTDS.dit and SYSTEM hives were extracted using the ntdsutil.exe Windows utility. These files were acquired by ProCircular, giving them access to all users and NTLM password hashes within the domain. The use of ntdsutil.exe was not alerted on by either Cortex or Microsoft Defender for Identity.
This paper showcased an attack path that successfully bypassed EDR protections using the lay of the land and incident response tools, ultimately achieving full domain compromise. By exposing vulnerabilities and demonstrating the potential impact of such attacks, organizations can better understand the need for comprehensive security measures to safeguard their networks and data. While all other attack methods were thwarted by EDR protections, the use of incident response tools and Microsoft native programs being used against their intended purposes was what won the day. Solutions for attacks such as these would require auditing of company applications, allowlisting as well, and monitoring alerts for any applications that interact with a host's registry hives. Contact our team today to ensure your organization stays protected from evolving threats!
