Bypassing Cylance: Part 4 – Metasploit Meterpreter & PowerShell Empire Agent

David Fletcher //

The following techniques serve to illustrate methods for obtaining C2 communication in a particular Cylance protected environment.  The configuration of the centralized infrastructure and the endpoint agents were not inspected prior to testing. The environment may exhibit configuration errors and may not conform with best practice for deployment of Cylance infrastructure. However, in our experience, misconfiguration is not uncommon and more times than not tends to have catastrophic results with regard to the overall security posture of an environment. This is the reason that we test deployments before accepting their stated protection levels at face value. In addition, these posts serve to illustrate the necessity for defense-in-depth. In each instance where C2 establishment was successful, a secondary or tertiary control could have (and should have) compensated for the failure of the initial control.  Layered defense is a critical element of protection in any environment and organizations must face the fact that there is no silver bullet for information security. Don’t miss part 1, using VSAgent, part 2 about using DNScat2, and part 3 where David used Netcat and Nishang

After establishing successful C2 communication with several different tools using various protocols, two more traditional payloads were attempted. The first was Metasploit’s Meterpreter and the second was a PowerShell Empire Agent.

Before diving into the details of each of the agents, it was necessary to get PowerShell interpreter access on the target host. Surprisingly, the method that worked was renaming the native PowerShell.exe interpreter. After renaming the executable, Cylance no longer prevented execution of PowerShell within this environment.

Metasploit Meterpreter

The Cylance agent was very effective at detecting and eradicating instances of Metasploit Meterpreter. The Meterpreter payload (32-bit and 64-bit) was delivered to the target host both in both unencoded and encoded forms, with stage encoding enabled, in the following package formats and a resulting shell was never achieved.

  • Staged Meterpreter Msfvenom Payload
  • Staged Meterpreter Msfvenom Payload using Alternate EXE Template
  • Stageless Meterpreter Msfvenom Payload
  • DLL injection using RunDLL32.exe
  • Uninstall execution using InstallUtil.exe
  • PowerShell execution using “PowerShell without PowerShell” technique
  • Modified Unicorn PowerShell payload**
  • Import-ShellCode and Inject-ShellCode

Several PowerShell payloads were attempted. However, many of the Metasploit payloads make subsequent calls to the native PowerShell interpreter. These payloads were decoded, modified and re-encoded to use the renamed PowerShell interpreter. However, each time the PowerShell was executed, the ensuing process was blocked by Cylance. This same response was observed for each of the Meterpreter payloads delivered to the host.

In the interest of time, other less powerful Metasploit payloads were not attempted.

PowerShell Empire Agent

After gaining access to the native PowerShell interpreter by renaming the executable, PowerShell Empire agent C2 could be obtained with minimal modification.

First, the launcher stager PowerShell payload was generated as seen below.

Then the interpreter was altered to match the renamed interpreter on the host.

After execution, a PowerShell Empire agent callback was observed from the target host.

This initial agent was executed with the default listener properties provided by PowerShell Empire. The beaconing behavior (five-second intervals) was identified by Cylance and prevented after roughly three hours of agent communication.

However, the communication profile of the agent was altered to include jitter and requests to non-default resources as described in this blog post by Carrie Roberts. With the agent configured to communicate in this manner, the C2 channel went undetected for more than 24 hours.