Bypassing Cylance: Part 1 – Using VSAgent.exe

Recently, we had the opportunity to test a production Cylance environment. Obviously, each environment is going to be different and the efficacy of security controls relies largely on individual configuration. However, the posts over the next several days illustrate our observations in one such environment. Different configurations and sound application of defense-in-depth will obviously yield different results.

This week we will illustrate the techniques that worked for getting command and control communication within the environment. It should be noted that the environment did not have an effective application whitelisting implementation in place during testing. In addition, access to cmd.exe and powershell_ise.exe were not restricted. This series will start with non-traditional C2 channels first.

VSAgent.exe

BHIS has a custom C2 tool called VSAgent (get it at John’s 504 DropBox tinyurl.com/504extra2) which uses the ViewState parameter in a well-formed HTML page to communicate commands and their results between the C2 server and client. The ViewState parameter is commonly used in ASP.NET web applications to maintain state between the client and the server. Because this field is so commonly observed and is base64 encoded and optionally encrypted when in legitimate use, it is a difficult target to inspect.

In this case, the vsagent.exe client was simply downloaded to the target computer and executed.

The Cylance instance did not detect or prevent the vsagent.exe tool from executing and establishing a C2 channel. Because of this, other compensating controls should be in place to prevent this behavior.

For example, web content filtering could be used to prevent download of executable files. However, this can typically be bypassed by downloading the file in a different format or an encrypted/compressed archive then unpacking the file on the target host. Alternatively, a malicious employee or an attacker may deliver a tool like this using removable media.

A more appropriate countermeasure would be properly implemented application whitelisting. When application whitelists are based on file signatures they are notoriously difficult to bypass and require techniques such as the use of rundll32.exe, installutil.exe, or msbuild.exe.

____

Editor’s Note: This is part one of a special week-long five-part series about bypassing Cylance by David. Check back for parts 2-5!)

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand

17 Comments

Stephen Smith
March 27, 2017 @ 6:21 pm

David,

Can you clarify what “It should be noted that the environment did not have an effective application whitelisting implementation in place during testing. In addition, access to cmd.exe and powershell_ise.exe were not restricted.”

To me, this means that at least script control wasn’t set to block or terminate.

Can you also share what configuration was set on the agent? I’m just curious because we are a reseller/VAR/MSSP for Cylance and our default policy locks this all down.
John
March 28, 2017 @ 10:25 am

The config we cannot give because it is from a customer.

Also, we are huge fans of white listing. It is the cats pajamas.

The point on this is not the validity of whitelisting. It works well. And, you can do it for free with applocker and SRP. It is not a special feature in Cylance.

The point is this is supposed to next generation coolness… And we are not seeing that in our customers. We often hear about cool feature X which was not turned on. However, we test the real world. Not marketing propaganda.
- Stephen Smith
  March 28, 2017 @ 10:46 am
  
  So script control wasn’t on, and PowerShell one-liners are not blocked. If everything was not turned on..it’s not a bypass, is it? I’m just trying to understand how weakening a product because you can “do it for free” is a true test of the software.
  
  Maybe some companies don’t have whitelisting setup; maybe they don’t have the resources to do that in their environment.
  
  I’d love to see a fully lockdown config, and then see someone try to bypass it. So far a few partners we have who are pen testers haven’t been able to, unlike most of the other big names.
  
  I’m just trying to understand how this is a full test when things are turned off.
  
  Thank you for your time.
  - Anonymous for a reason
    April 6, 2017 @ 3:46 pm
    
    ” I’m just trying to understand how weakening a product because you can “do it for free” is a true test of the software.”
    
    This is rich … coming from a Cylance reseller. Turning off protection layers in competitor products is the core modus operandi employed by Cylance in order to discredit others. I guess the blade cuts both ways?
  - Stephen Smith
    April 7, 2017 @ 4:15 am
    
    If that were true, I’m not sure what it has to do with me and our company. We resell Cylance and do not dupe our customers, we have them compare to what they have now and they make the decision to switch. Grouping us in with something reported years ago seems unoriginal and unfair. I would address you directly but you chose to stay anonymous…
John
March 28, 2017 @ 10:52 am

You really, really need to take a breath.

Some of the things you are saying are going to come back to bite you. You are making a series of assumptions about Powershell.

It was configured to block Powershell. But it was so easy to bypass it was not even remotely close to funny.

I would recommend a call.

303-710-1171
techie
March 28, 2017 @ 1:50 pm

Hey John,

for application whilelisting; how effective do you think is path based rules using SRP?

Thanks..
- John
  March 28, 2017 @ 3:20 pm
  
  It is fantastic. Still can be bypassed with a specific exploit or something like ISR-Evilgrade. However, it does wonders for simple marco and drive-by attacks.
  
  If I had to choose between SRP/Applocker and AV… I would choose path based SRP/Aplocker.
  
  HTH!
  
  John Strand
techie
March 29, 2017 @ 8:30 am

Thanks John, much appreciated. Hope to attend one of your live class someday… 🙂
Michael Horch
March 30, 2017 @ 11:40 am

John,

I took 504 with you a few years ago – i dont remember going through the vsagent instructions…i assume its fairly easy to set up, however, the vsagent.exe file seems to be missing from the vsagent-504 folder in your 504 extras dropbox. Maybe i’m missing it?
John
March 30, 2017 @ 2:55 pm

You can use Py2exe to convert it.

Its what we do.

Please send me an email OOB if you have any questions.

John
Ron A.
March 31, 2017 @ 2:57 am

Cylance makes a lot of noise in the market, and this is their biggest strength. I heard that they admit that can’t match with unknown-unknown sophisticated Malwares, Ransomware, APTs or Zero-days.
So depends on your security needs – I believe that Cylance are a good NGAV, but not good enough.. Their partners says that in real life cases this SW is bypassed. I think that this product is just a temporary step to a bigger step that needs to apply in the endpoint Cyber security arena
Fred Schlipp
April 5, 2017 @ 8:27 am

Many ‘next gen’ security products are marketing spin. Most of them lack self-protection and can easily be defeated by a serious adversary.
- Stephen Smith
  April 7, 2017 @ 6:17 am
  
  I wouldn’t limit that statement to “Next-Gen” solutions. All legacy solutions can and have been bypassed as well.
- KC
  April 9, 2017 @ 9:21 pm
  
  I wouldn’t call Cylance “marketing spin”. It is a one of the few client protections that can detect and block malware on file and in memory without using traditional signatures. Traditional AV providers have largely failed to do that for zero-day malware. But it is a new product and will take some time to mature. Black Hills (John Strand, David Fletcher, others?) are doing a great service here. There is no one magic bullet, and for this particular security product, an application like VSAgent.exe that doesn’t perform anything suspicious in memory or to the host OS, will likely evade detection. Thank you Black Hills for publishing this information!
ewiley
April 12, 2017 @ 12:38 pm

So, why am I bothering with Cylance if I have app whitelisting already?
- Rob Davis
  April 25, 2017 @ 9:49 am
  
  If you have application whitelisting implemented successfully, then adding Cylance would provide only marginal additional protection.
  
  Cylance (when configured properly) can provide script control/alerting, memory exploit protection/alerting, and port control. For example, with memory exploit protection turned on a lot of the PowerShell scripts that inject code into regsvr32.exe or explorer.exe will not work.
  
  My recommendation is to add some type of EDR tool like CyberReason or Carbon Black Response. Our implementation of these tools would have detected all the exploits detailed in the Cylance “Bypass” blogs.
  
  I would never depend upon any protective controls working 100% of the time. Properly operationalized EDR tools can act as a “smoke alarm” or “trip wire” when these controls don’t work as expected.