Bypassing Cylance: Part 2 – Using DNSCat2

David Fletcher //

The following techniques serve to illustrate methods for obtaining C2 communication in a particular Cylance protected environment.  The configuration of the centralized infrastructure and the endpoint agents were not inspected prior to testing. The environment may exhibit configuration errors and may not conform with best practice for deployment of Cylance infrastructure. However, in our experience, misconfiguration is not uncommon and more times than not tends to have catastrophic results with regard to the overall security posture of an environment. This is the reason that we test deployments before accepting their stated protection levels at face value. In addition, these posts serve to illustrate the necessity for defense-in-depth. In each instance where C2 establishment was successful, a secondary or tertiary control could have (and should have) compensated for the failure of the initial control.  Layered defense is a critical element of protection in any environment and organizations must face the fact that there is no silver bullet for information security. See part one where we used VSAgent.exe  here.

DNSCat2 (Get this tool on GitHub here)

DNSCat2 – The next non-traditional Cylance bypass included the use of the DNSCat2 C2 tool. This tool establishes a C2 channel over DNS and queries and responses as its transport mechanism. In this instance, the tool could be executed with default parameters (using encryption) and an initial connection was established. However, the connection was immediately terminated.

However, starting the server without encryption resulted in session establishment as seen below.

Once again, the Cylance tools did not detect execution and C2 channel establishment using this tool. As with VSAgent, execution of this tool could have been halted using properly implemented application whitelisting techniques.