This included AVG, Avast, TrendMicro, CrowdStrike, Palo Alto Cortex XDR, SentinelOne, and Kaspersky. Linux servers typically do not have built-in EDR solutions, so we focused on triggering other EDR products commonly installed on Linux web servers. Since many web servers run on Linux, we wanted to explore this platform too. Remotely Trigger File Deletion on Linux Server This triggered Microsoft Defender, which was installed on the web server, to delete the log file. As one example, we used an HTTP request to send our malicious signature to a Windows-based web server, exploiting the user agent field in IIS logs to include our signature. To enable a remote attack, we needed a way for a privileged service to write our signature to a remote file. Remotely Trigger File Deletion on Windows Server When we manually embedded the malicious signature into a non-executable file, we were able to locally trigger an automatic deletion of that file by Microsoft Defender. We focused on non-executable files, since they are intended to be modified and more easily allowed us to insert our malicious signature. Next, we used trial and error to identify the sections of a legitimate file where the malicious signature could be appended. After a significant amount of trial and error, we were able to minimize a malicious file to a 15 character signature, mainly using non-alphanumeric characters, that successfully triggered Microsoft Defender to automatically delete a file’s content. To start, we focused on Microsoft Defender, which is the default EDR installed on hundreds of millions of Windows agents and servers. Our first goal was to find a minimal signature that triggered automatic deletion when appended to an empty file. Develop Minimal Signature to Trigger File Deletion Below, we provide a high-level overview of each of the steps in our research process that led to these discoveries. Is it possible to trick EDRs into deleting legitimate files? The Research Processĭuring our investigation, we successfully identified multiple attack vectors-including inserting minimal malicious signatures into web server logs, email clients, Windows event logs, and databases-that triggered EDR products to automatically delete files or databases without authentication, resulting in a DoS condition. The central question we asked ourselves was: This resulted in a total deletion of all users and OS files after a certain period.īuilding on this initial discovery, we conducted a secondary research effort to identify vulnerabilities for remote deletion of critical files through the same EDR products. In this research, Or identified that it was possible to delete the wrong file by exploiting a time-of-check to time-of-use (TOC/TOU) vulnerability. Our research journey began with a critical finding by one of our team members, Or Yair, who identified multiple zero-day vulnerabilities in several major EDRs in his Aikido Wiper Research presented at Black Hat Europe 2022. Finally, we will highlight the vendor response and identify how SafeBreach is sharing this information with the broader security community to help organizations protect themselves. We will then explain our research process that uncovered a method for remote deletion of both user and operating system (OS) files leveraging leading EDRs. Below, we will provide a high-level overview of the previous SafeBreach Labs research that served as the foundation for our latest discovery. We first presented this research at Black Hat USA 2023 and are sharing it with the broader security community in this post. We believe the ten attack vectors we discovered are the tip of the iceberg and, since Microsoft Defender is embedded in multiple critical points in many cloud vendors, the impact of these vulnerabilities could be significant and far reaching. As part of this ongoing research, our team recently discovered vulnerabilities in various endpoint detection and response (EDR) products that allow adversaries to remotely erase critical files and databases without authentication that could lead to potential data loss, denial of service (DoS), and significant security risks. The SafeBreach Labs team is committed to conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. Authors: Tomer Bar, VP Security Research, SafeBreach | Shmuel Cohen
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |