• Home

  • Software

  • Bypassing cisco’s sourcefire amp endpoint solution – full demo
13
Bypassing Cisco’s Sourcefire AMP endpoint solution – Full demo & comparison with RSA NWE This article will demonstrate one of the key differences between NG AV endpoint protection and EDR solutions such as RSA NetWitness for Endpoints. In this article, we will demonstrate how Cisco’s endpoint protection solutions Sourcefire AMP is easily bypassed by performing a buffer overflow and in-memory post exploitation activities. This test was performed on a fully patched Windows 10 machine with an active MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed. The setup used for this test was the following: Windows 10 client protection verification

Bypassing cisco’s sourcefire amp endpoint solution – full demo

Embed Size (px)

Citation preview

Page 1: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Bypassing Cisco’s Sourcefire AMP endpoint solution – Full demo & comparison with RSA NWE

This article will demonstrate one of the key differences between NG AV endpoint protection and EDR solutions such as RSA NetWitness for Endpoints. In this article, we will demonstrate how Cisco’s endpoint protection solutions Sourcefire AMP is easily bypassed by performing a buffer overflow and in-memory post exploitation activities. This test was performed on a fully patched Windows 10 machine with an active MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed.The setup used for this test was the following:

Windows 10 client protection verification

Page 2: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Vulnerable application is installed and running

Cisco SourceFire AMP does not find any issues on the clean machine

Page 3: Bypassing cisco’s sourcefire amp endpoint solution – full demo

AMP tracking information does not highlight any suspicious activities

RSA NWE does not find any suspicious activities on the clean machine

Page 4: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Attacker – KALI setting up exploit & payload module

Page 5: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Running remote buffer overflow exploit

No alerting from either Cisco AMP or MS Defender…

Page 6: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Attacker runs additional post exploitation activities such as a keylogger

Attacker searches and downloads password.txt & creates a screenshot

Page 7: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Attacker performs a ARP network scan

Attacker start an interactive SHELL and runs WHOAMI & IPCONFIG commands

Page 8: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Still no alerting from either Cisco AMP or MS Defender…

Cisco AMP does not detect or notifies on exploit and post exploit activities….

Page 9: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Now let’s look at RSA NWE

Page 10: Bypassing cisco’s sourcefire amp endpoint solution – full demo
Page 11: Bypassing cisco’s sourcefire amp endpoint solution – full demo
Page 12: Bypassing cisco’s sourcefire amp endpoint solution – full demo
Page 13: Bypassing cisco’s sourcefire amp endpoint solution – full demo

Sourcefire Vulnerability Research Team Labs

Sourcefire Vulnerability Research Team Labs

Technology
Sourcefire 3D システム - Cisco...バージョン 5.3 Sourcefire 3D システム仮想インストール ガイド 5 仮想アプライアンスの概要 Sourcefire 3D System 仮想アプライアンス

Sourcefire 3D システム - Cisco...バージョン 5.3 Sourcefire 3D システム仮想インストール ガイド 5 仮想アプライアンスの概要 Sourcefire 3D System 仮想アプライアンス

Documents
Cisco, Sourcefire and Lancope - Better Together

Cisco, Sourcefire and Lancope - Better Together

Technology
Cisco’s Secure Access Control Server (ACS) ACS: Cisco’s AAA server A centralized access control solution Supports both RADIUS and TACACS+ Supports Cisco’s

Cisco’s Secure Access Control Server (ACS) ACS: Cisco’s AAA server A centralized access control solution Supports both RADIUS and TACACS+ Supports Cisco’s

Documents
Bypassing Waf

Bypassing Waf

Documents
Sourcefire SSL Appliance 2000/8200 Getting Started Guide, v3...You should only use the Sourcefire SSL appliance if you agree to these licensing condi-tions; see the Sourcefire SSL

Sourcefire SSL Appliance 2000/8200 Getting Started Guide, v3...You should only use the Sourcefire SSL appliance if you agree to these licensing condi-tions; see the Sourcefire SSL

Documents
Atos - Information Security APT Service (SourceFire) - SCS

Atos - Information Security APT Service (SourceFire) - SCS

Documents
Sourcefire семинар

Sourcefire семинар

Technology
Cisco’s Supply Chain Digitized (Sept18) · Cisco’s Supply Chain Digitized Drive an Agile and Adaptive Supply Chain SrDirector Supply Chain Operations EMEAR. ... Cisco’s Supply

Cisco’s Supply Chain Digitized (Sept18) · Cisco’s Supply Chain Digitized Drive an Agile and Adaptive Supply Chain SrDirector Supply Chain Operations EMEAR. ... Cisco’s Supply

Documents
Bypassing Av

Bypassing Av

Documents
Sourcefire FireAMP

Sourcefire FireAMP

Technology
Enabling Cisco’s Advanced Service Deliverables Through ... Conference 2010... · Enabling Cisco’s Advanced Service Deliverables Through Knowledge. ... Enabling Cisco’s Advanced

Enabling Cisco’s Advanced Service Deliverables Through ... Conference 2010... · Enabling Cisco’s Advanced Service Deliverables Through Knowledge. ... Enabling Cisco’s Advanced

Documents
Sourcefire 3D System - Cisco · Version 5.3 Sourcefire 3D System eStreamer Integration Guide 9 Table of Contents

Sourcefire 3D System - Cisco · Version 5.3 Sourcefire 3D System eStreamer Integration Guide 9 Table of Contents

Documents
Cisco’s Agile Journey

Cisco’s Agile Journey

Technology
Sourcefire, Inc. (FIRE)

Sourcefire, Inc. (FIRE)

Documents
Sourcefire FireAMP Datasheet

Sourcefire FireAMP Datasheet

Documents
Sourcefire 3D System Administrator Guide v4.9.1

Sourcefire 3D System Administrator Guide v4.9.1

Documents
Sourcefire 3D System Virtual Installation Guide v5.2

Sourcefire 3D System Virtual Installation Guide v5.2

Documents
Wp Bypassing Captchas

Wp Bypassing Captchas

Documents
Cisco’s acquisition strategy

Cisco’s acquisition strategy

Leadership & Management
Module Support on Cisco’s

Module Support on Cisco’s

Documents
Gowdiak Bypassing Firewalls

Gowdiak Bypassing Firewalls

Documents
Sourcefire 3D System Installation Guide v5.2

Sourcefire 3D System Installation Guide v5.2

Documents
Sourcefire Defense Center

Sourcefire Defense Center

Technology
Modified slides from Martin Roesch Sourcefire Inc

Modified slides from Martin Roesch Sourcefire Inc

Documents
Sourcefire to Cisco Licensing Delta Guide · 2017-08-18 · Sourcefire to Cisco – Licensing Delta Guide Licensing Delta Guide ... Software download for the Sourcefire products are

Sourcefire to Cisco Licensing Delta Guide · 2017-08-18 · Sourcefire to Cisco – Licensing Delta Guide Licensing Delta Guide ... Software download for the Sourcefire products are

Documents
Martin Roesch Sourcefire Inc

Martin Roesch Sourcefire Inc

Documents
Sourcefire 3D System Release Notes Verison 5.3.0 · For detailed information on the Sourcefire 3D System, refer to the online help or download the Sourcefire 3D System User Guide

Sourcefire 3D System Release Notes Verison 5.3.0 · For detailed information on the Sourcefire 3D System, refer to the online help or download the Sourcefire 3D System User Guide

Documents
Waf bypassing Techniques

Waf bypassing Techniques

Education
Bypassing waf advanced

Bypassing waf advanced

Documents