Cymulate Discovers Proof of Concept Exploit That Gets Around Many EDR Vendors
Cymulate, through its Cymulate Offensive Research Group, has uncovered an exploit technique they have named BlindSide that can be used in Windows operating systems to push malicious code past many EDR vendors.
EDR vendors generally have two different ways to attach to Windows OS. There tying the EDR to ETW telemetry data or they can use DLL hooking. In the case of EDR vendors who use DLL hooking, Ilan Kalendarov, lead researcher for the Cymulate Offensive Research Group uncovered you can use Windows OS’ and use a hardware breakpoint and debug register used with x86 and x64 processors to inject commands and prevent EDR scanning and protection from occurring. When enabled, he was able to start a new process in debug mode and load it without the hooked EDR and other processes. This is an evasion technique that works against EDR vendors who use DLL hooking and would prevent malicious code from being seen. For a full technical deep dive please see Ilan Kalendarov’s blog post which goes into the discovered exploit as well as a video demonstration of the technique and questions from Cymulate Solution Architect, Mike DeNapoli. Here: https://cymulate.com/blog/blindside-a-new-technique-for-edr-evasion-with-hardware-breakpoints
As responsible cybersecurity professionals, we notified Microsoft immediately and while they thanked us for the submission, they didn’t have any additional comments or concerns at this time. We also met with EDR vendors and gave them time to understand the exploit, and how it works and gave them time to fix the issues within their solutions. We should also note that two of the many vendors who use DLL hooking also had functionality that was not enabled by default that would have seen and blocked the exploit.
For those Cymulate customers with the Advanced Scenarios module you can test to see if your EDR vendor has issues by testing against the Cymulate solution.
- In the Cymulate interface go to Advanced Scenarios/Templates/ then select New Template.
- The Repository opens. In the search window type “msf”. You will see Msfvenom Shellcode Injection (Blindside) appear. Click on the + to add to a new template and select Next.
- Name your template and give it a description then select Save.
- Now run the template to see if your EDR is vulnerable to the exploit.
This to see if it will work. This module will utilize remote hardware breakpoints to unhook ntdll. Upon successful execution, the module will load a shellcode generated by Msfvenom that will open the Microsoft calculator app (calc.exe).
For those who do not have the module contact Cymulate, we will enable it in your license to run once to check in your deployments.