Investigation of McAfee Endpoint Agent and Powershell interaction

Recently I came across the logs issued by my McAfee Endpoint Agent that looked suspicious to me. It looked like this.
So, svchost.exe started powershell.exe. Based on our corporate policy, this action wasn't blocked. Still, I was not aware there is a powershell running on my laptop in the background. Also the fact it was run by a system process raised an alarm. I decided at this point to investigate what is actually going on here.
The first step was to run a process monitor and observe what is powershell.exe doing. Maybe I can get some idea from the detailed dump from process monitor what exactly it is doing, which script it executes etc. I stared process monitor with filter set to process name "powershell.exe".
And indeed, powershell was loading some system DLLs,creating, reading some registry keys etc. The detail that attracted my attention here was the process conhost.exe - very similar to cmd.exe, so another command shell. The whole dump from Process Monitor was exported into Excell to allow easier search. After trying various strings, mostly "*.ps1", "powershell.exe" and many others, I detected the following content.

Powershell.exe executes the script loaded on the shared drive of our corporate server. At that time I was pretty sure there was nothing malicious here, but still , I wanted to understand what is this script doing.
After loading the script from this folder into my text editor, it was indeed just a benign check if the specific windows update service was running or not. Further, my intention was to discover what exactly happens on the network level, mainly, to understand what processes are required to control this script execution - we knew powershell.exe and conhost.exe were involved- was there anything else.
It seems there is - first I ran netstat to check established SMB connections (tcp port 445) because I saw the script is executed from a shared folder on Windows. I also ran Wireshark in parallel to see what this SMB communication does. All pretty standard stuff, but I still don't know what process handles the SMB communication. Several experiments were done in Process Monitor to isolate the process responsible for SMB communication, but it was not powershell.exe nor conhost.exe. After a lot of attempts with filters on process IDs, process names , all correlated with time when powershell.exe was started I found out it was the System (PID=4) that does SMB session.
Given that McAfee logs were showing entries at precisely the same time every day, I assumed this execution was defined in the Windows scheduled tasks.

One more thing that was left to find out was how did the McAfee capture those events in its log. Once again I needed to call Process Monitor in help and trace the processes accompanied with powershell.exe and System (PID=4).
Note the entry with powershell.exe looking into registry key. The key is labelled as McAfee, so I good chance we may find the missing link responsible for logging. Let us investigate the registry and try to figure out what these keys are.
Note the "Data" field - all contain the key word "IPSAppHookRule". Intuitive enough, some kind of API hooking is in place so that McAfee endpoint client can intercept the process calls (not API calls!) and, my assumption here, to inspect the process name to be executed. A quick look into the key value for powershell.exe is this.
Let us check some hypotheses here - is the hooking tied to the process name? If so, then it detects every invocation of powershell.exe. What would happen if I simply rename the file? Let us do that.
I found the process that calls the powershell script , copied powershell.exe into "powershell2.exe", edited scheduled tasks and let the scheduler run at its programmed time.

It is important to note here that renaming or copying powershell.exe to powershell2.exe required local Admin privileges. A quick check above proves that powershell.exe shall not execute, but powershell2.exe will. I went on to use powershell2.exe in the scheduled tasks.

After this intervention, the scheduler ran as usual, this time running the same task with powershell2.exe instead of powershell.exe and the logs in McAfee were at this stage were no longer appearing. Also, any manual run of powershell2.exe did not produce any alarm logs.
At this stage I decided to check with McAfee if they view this as a vulnerability or is this protection mechanism purposely designed to inspect only the static name of the process. I opened the case with them, and they replied as follows indicating this is not considered a vulnerability.
In fairness, I can agree to a certain degree with their view - this is only one stage of protection that they designed to recognise the name of the process. Nothing else in this first step inspection process. In addition, one would require local administrative privilege to rename/copy the file from C:\windows\system32.  From my humble knowledge and research of the McAfee Endpoint agent, I am sure it does the second level protection in terms of heuristic analysis and behaviour anomalies. This means that even though one bypassed the process name restriction, and one ran some suspicious actions with this renamed process, the Agent would still analyse what the process is doing - if anything malicious, it would most likely prevent the action. This last step (heuristic inspection) was not in the scope of this investigation and I cannot confirm that it either did or did not kick in.


Comments

Post a Comment

Popular posts from this blog

Signature verification bypass vulnerability in some Huawei routers

Image
This blog will describe the discovery of the digital signature bypass on some Huawei routers.  The idea of digital signature check is simple - you have a piece of code and you calculated the checksum/hash of that file. The hash or checksum can be thought of as a "signature", a mathematical value that is uniquely assigned to the code (in our case the code was a firmware file). As soon as you change anything in the file and recalculate the hash, it should be significantly different from the original value - that is the feature of the hashing algorithm. Even the small change in the code will change the hash significantly. Vendors in most cases provide the such a pre-calculated hash so that the customer or the system may check if the hash of the image is indeed the same as vendor required. What was found in this investigation was that the system command on the Huawei AR1220E router does not perform this check properly. As a consequence, the attacker might be abl
Read more

Attacking encrypted VOIP (SIP) protocols

Image
In this post I will be explaining the approach in attacking the encrypted voice over IP (VOIP) protocol, more specifically, SIP (Session Initiation Protocol).  When we are talking about the SIP encryption, it will most likely assume some kind of SSL/TLS wrapping (SIP over TLS). An example below shows the solution design that allows interception, decryption and manipulation of SIP messages. The central component consists of mitm_relay.py and BURP. It is not required that both BURP and mitm_relay run on the same machine, but my setup did run both of them on the same virtual instance. The communication chain looked like this: Client -> mitm_relay->BURP->SIP Server->Client 2 The mitm_relay.py is a python script available at https://github.com/jrmdev/mitm_relay Before we fire up the mitm_relay, we need to configure couple of things- its certificate (self signed in my case, and private key). Once this is in place, we can run it: Few details about the mitm_relay setup:
Read more

DNS insights - UDP vs TCP and EDNS

Image
In this article I will elaborate the research I did in relation to DNS (Domain Name Service). The particular issue discussed here is when and how DNS uses TCP or UDP transport layer in relation to the packet size. Normally, DNS will run queries and replies via UDP protocol unless there is a Zone Transfer , incremental or full (IXFR or AXFR , respectively). According to the original DNS specification as given in the RFC 1035 (https://www.ietf.org/rfc/rfc1035.txt), DNS will also use TCP for packets larger than 512 bytes. However, there was another RFC issued in 2013 which is RFC 6891 (Extension Mechanism for DNS), labelled as EDNS(0). https://tools.ietf.org/html/rfc6891 I came across this issue accidentally, but as we will see in the text, some issues were noticed that are some not well documented reasons why DNS may fail to comply with EDNS. To do the proper investigation, here are some assumptions I worked with: a) I wanted to check DNS clients from both Windows and Linux b) I wan
Read more