Bypassing Cylance: Part 1 – Using VSAgent.exe

David Fletcher //

Recently, we had the opportunity to test a production Cylance environment. Obviously, each environment is going to be different and the efficacy of security controls rely largely on individual configuration. However, the posts over the next several days illustrate our observations in one such environment. Different configurations and sound application of defense-in-depth will obviously yield different results.

This week we will illustrate the techniques that worked for getting command and control communication within the environment. It should be noted that the environment did not have an effective application whitelisting implementation in place during testing. In addition, access to cmd.exe and powershell_ise.exe were not restricted. This series will start with non-traditional C2 channels first.

VSAgent.exe

BHIS has a custom C2 tool called VSAgent (get it at John’s 504 DropBox tinyurl.com/504extra2) which uses the ViewState parameter in a well-formed HTML page to communicate commands and their results between the C2 server and client. The ViewState parameter is commonly used in ASP.NET web applications to maintain state between the client and server. Because this field is so commonly observed and is base64 encoded and optionally encrypted when in legitimate use, it is a difficult target to inspect.

In this case, the vsagent.exe client was simply downloaded to the target computer and executed.

The Cylance instance did not detect or prevent the vsagent.exe tool from executing and establishing a C2 channel. Because of this, other compensating controls should be in place to prevent this behavior.  

For example, web content filtering could be used to prevent download of executable files. However, this can typically be bypassed by downloading the file in a different format or an encrypted/compressed archive then unpacking the file on the target host. Alternatively, a malicious employee or an attacker may deliver a tool like this using removable media.  

A more appropriate countermeasure would be properly implemented application whitelisting. When application whitelists are based on file signatures they are notoriously difficult to bypass and require techniques such as the use of rundll32.exe, installutil.exe, or msbuild.exe.

____

Editor’s Note: This is part one of a special week-long five-part series about bypassing Cylance by David. Check back for parts 2-5!)