#Cylance antivirus password
The local Administrator account password hash was used with the SMBExec Impacket script via a Pass-the-Hash attack to obtain a privileged remote shell on the system.
Copied SAM registry file Copied SYSTEM registry file
To our surprise, Cylance did not prevent this attack. To escalate our privileges, we extracted the local Administrator account hash by copying the Security Accounts Manager (SAM) and SYSTEM registry files. We were not able to rename the file with our current compromised account, as the account was in the local Administrators group and only had read and execute permissions over CyMemDef.dll. Write permissions are required to rename CyMemDef.dll, which only the NT AUTHORITY\SYSTEM or local Administrator accounts possess. If the DLL file does not exist, Cylance has nothing to inject into every process, and will not be able to prevent an attacker from dumping LSASS memory 🙂 Disabling Cylance The solution identified by Tyler was to simply rename CyMemDef.dll.
#Cylance antivirus driver
The issue was caused by a filter driver that Cylance uses to implement LSASS memory protections by injecting CyMemDef.dll into every process. An article by Tyler Booth written in 2018 confirmed this was likely the case. We attempted to troubleshoot the issue by loading the LSASS memory dump into mimikatz, instead of pypykatz, as something may have been wrong with our pypykatz installation.Īfter a bit of research, it appeared that Cylance was interfering with dumping the memory of LSASS. The error message below is uncommon to experience. Dumping memory from LSASS is a straightforward attack where we rarely experience issues. However, this is where our Red Team engagement hit some rough waters. We loaded the LSASS memory dump into pypykatz, a Python implementation of mimikatz, in the hopes of extracting cleartext and hashed credentials.
#Cylance antivirus full
Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump full We observed that a Domain Admin was actively logged into the system and quickly moved to dump memory from LSASS using Living Off the Land Binaries and Scripts (LOLBins\LOLBas), hoping to extract the Domain Admin’s credentials. We used the compromised credentials to upload and execute Cobalt Strike onto one of the servers, providing elevated privileges to the system as a user in the local Administrators group.
The compromised account appeared to have administrative access to a number of Windows servers. We quickly found credentials for a high-privileged domain user account in an unrestricted file share. This particular Red Team engagement started out swell. This article will highlight how White Oak Security was able to bypass the EDR solution by Cylance on a recent Red Team engagement to extract Domain Admin credentials from LSASS, leading to a compromise of the client’s entire environment. EDR solutions go beyond signature-based detection to analyze malicious behaviors and activities, as well as collect a wealth of forensic information to improve Threat Hunting efforts. Endpoint Detection and Response (EDR) solutions are the next generation of antivirus software, raising the bar for attackers in terms of prevention and detection capabilities.
0 kommentar(er)
