Endpoint Protection

Hello everyone, recently we had a PT assesment in our SEP enviroment and the PT team had reported that they were able to succuesfully kill/bypass the SEP service. They also had a tool which they run and it disables the SEP. Also they used the taskkill command in cmd with local admin privalages and they bypassed it. Even though we already have the below enabled on the SEP side

1. Password protection is enabled to stop the service. Verified it if someone tries to do smc- stop, we are prompted to supply the pasword.
2. Password protection is enabled to uninstall the agent. Tried to uninstall from control panel, we are prompted to supply the password.
3. If we try to go the task try right click on SEP shield, Disable Symantec Endpoint Protection is greyed out.
4. Temper protection is enabled and the action for it is to Block and Log.

I also came across the below article and it works like this.

https://www.symantec.com/connect/forums/how-prevent-ccsvchstexe-proccess-getting-killed-taskkill-command

I am wondering how they SEP service can get killed even though temper protection is already enabled. 

 

Use the ADC policy to protect SEP services. Otherwise, it's a question for support/engineering.

Admin user can kill the service...

 

https://www.symantec.com/connect/articles/who-killed-symantec-endpoint-protection

Intresting comment rafeeq. That means if the privallages are escalated to local admin , the SEP service can be killed, even if temper protection or password protection is in place?

 

 

Use the ADC policy for protecting SEP services/registry.

Hello Brian, which ADC policy are you referring to? is there any default policy for this or do you have any other policy? Thanks

Called: "Protect client files and registry keys"

Yes, to mitigate this you need to use the ADC 

Hi SymSpec,

Once a skilled attacker has physical access or admin access to a machine, there's little that they cannot do.  That is one reason why I am a big fan of the principle of least privilege. https://en.wikipedia.org/wiki/Principle_of_least_privilege  

Mature security products like SEP, with the right precautions and measures in place, should be safe from commands, etc that non-admin users (and programs running as non-admin) can throw at it.  

Hope this helps!

Mick make it simple :)

Tamper Protection should be helping block this type of attack. If you have everything configured correctly and it's not working, please open a Support case.

Here's what it looks like in my lab:

Thanks Adam for the reply.

Works now?

Hello SymSpec, 

did you finally opened a support case? This threat is very interesting and I would like to know the final results. 

Regards,

Juan

Yeah I tried it on one of the machine, tried taskkill in cmd temper protection blocked it and logged the event. Will raise this with the internal PT team for their feedback on this.

Yeah I tried it on one of the machine, tried taskkill in cmd temper protection blocked it and logged the event. Will raise this with the internal PT team for their feedback on this.

Hello, 

any update om this?

 

regards, 

Juan