Full Report
On a recent red-team I was given a client laptop from which I was expected to simulate an insider-threat/employee laptop compromise scenario over their VPN. I was given a normal employee user account and did not have local administrator privileges. The laptop itself was riddled with security products and snitchware, threatening to report back every action taken on the system to the SOC/SIEM. My first objective was to obtain local administrative access, so that I could disable these security products.
Analysis Summary
# Tool/Technique: BitLocker Suspension Bypass
## Overview
This describes a technique used to gain full access to a machine's file system by exploiting the configuration state where BitLocker volume encryption is suspended, allowing decryption without the recovery key or full administrative rights on the live OS.
## Technical Details
- Type: Technique
- Platform: Windows (Specifically mentioned with BitLocker configuration)
- Capabilities: Bypassing encryption protection when BitLocker is in a Suspended state, allowing raw drive access via external boot environment.
- First Seen: Not specified in the context of the technique's discovery, but the article was published March 28, 2023.
## MITRE ATT&CK Mapping
- TA0003 - Privilege Escalation
- T1542 - Impair Defenses
- T1542.001 - System Binary Proxy Execution (Indirectly, by gaining access to the disk to modify binaries)
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (Enabling subsequent access to dump credentials post-disk access)
- TA0005 - Defense Evasion
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (By accessing the disk to modify or remove security products like CrowdStrike)
## Functionality
### Core Capabilities
- **Decryption via External OS:** Utilizing a Windows Setup USB/Live Linux boot environment to run the `manage-bde -off c:` command after noting BitLocker was in a 'Suspended' state.
- **Key Exposure:** In the Suspended state, the encryption key is stored on the drive unprotected (in the clear).
### Advanced Features
- **Raw Disk Access:** Once decrypted, the drive can be mounted and manipulated using a Linux Live system.
- **Post-Compromise Actions:** Allowed planting of backdoors that run as `SYSTEM`, clearing logs, or disabling security agents like CrowdStrike Falcon.
## Indicators of Compromise
- File Hashes: N/A (Technique, not specific malware)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Successful execution of `manage-bde -off c:` from an external bootable environment. Observation of BitLocker status showing a 'Suspended' state via `manage-bde -status`.
## Associated Threat Actors
- Insider Threat Simulation (Red Team Operation)
## Detection Methods
- **Signature-based detection:** N/A
- **Behavioral detection:** Detection of `manage-bde` commands originating from non-standard running processes or after detecting an unusual boot sequence (e.g., booting from USB/external media). Monitoring for filesystem mounting of the encrypted volume from a foreign OS.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Configuration Hardening:** Ensure BitLocker is not configured to enter a 'Suspended' state unless absolutely necessary, and if it is, ensure the system is not left unattended in an environment where an attacker can boot external media.
- **Secure Boot/UEFI Enforcement:** While not a direct fix for the state, correctly configuring TPM attestation and Secure Boot can prevent booting unknown operating systems from external media. Ensure TPM is actively used to store keys rather than relying on clear-text storage when protection is 'Suspended'.
## Related Tools/Techniques
- **Tools Used:** `manage-bde` (Native Windows Tool), `dd` (Linux utility), `VBoxManage` (VirtualBox utility).
- **Techniques:** Full Disk Encryption Circumvention, Privilege Escalation via Local Access.
***
# Tool/Technique: Disk Cloning and Virtualization (P2V Simulation)
## Overview
This describes the process of cloning the entire physical hard drive of the compromised machine onto an image file, converting it into a VM-compatible format (VMDK), and running it as a persistent, manageable virtual machine (VM). This is used for safe security product removal and executing potentially destructive tools like Mimikatz.
## Technical Details
- Type: Technique/Tool Usage Chain
- Platform: Windows (Source), Linux/VirtualBox (Host environment)
- Capabilities: Creation of ephemeral, snapshot-enabled testing environment based on the real corporate machine image.
- First Seen: Not specified; process common in forensic operations and red teaming.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1001 - Data Obfuscation (Moving data to a controlled, offline environment)
- T1484 - Data Destruction (Ability to safely test file destruction/modification)
- TA0008 - Lateral Movement (Potentially, if the VM is later used to connect to the domain)
- TA0003 - Privilege Escalation (The objective achieved before virtualization began, enabling this step)
## Functionality
### Core Capabilities
- **Disk Imaging:** Using `dd` to create a raw image (`laptop.img`) of the decrypted hard drive (`/dev/sda`).
- **Format Conversion:** Using `VBoxManage convertfromraw` to transform the raw image into a VirtualBox-compatible format (`laptop.vmdk`).
- **VM Creation:** Creating a new Windows 10 VM initialized with the `laptop.vmdk`.
### Advanced Features
- **Snapshotting:** Taking immediate snapshots of the VM allows the attacker to revert system state after testing malicious software or removing security products, ensuring no evidence remains on the baseline image.
- **Ease of Analysis:** Simplified tasks like copying files, taking screenshots, and capturing network traffic are easier on a VM than on a physical laptop.
- **Certificate Persistence:** The VM retained user/system certificates, allowing immediate VPN connectivity, suggesting the TPM was not involved in certificate storage.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `laptop.img` (raw disk image), `laptop.vmdk` (VirtualBox disk image).
- Registry Keys: N/A
- Network Indicators: Potential detection of NAT or bridged interface traffic from a VirtualBox environment attempting to connect to the internal network/VPN.
- Behavioral Indicators: Execution of `dd` command targeting the primary disk device, and subsequent execution of `VBoxManage`.
## Associated Threat Actors
- Red Team / Penetration Testers
## Detection Methods
- **Signature-based detection:** Detection of `VBoxManage` or specific flags in forensic logs.
- **Behavioral detection:** Monitoring for large volume raw disk writes (`dd`) to external storage or for the creation of large `.vmdk` files by non-standard user context.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **Hardware Security:** Ensure systems utilize TPM 2.0 for Disk Encryption Key storage and enforce Secure Boot to prevent booting non-approved operating systems from external media.
- **Endpoint Controls:** Security software (EDR) should monitor for high-risk processes attempting raw disk access (`dd`) or unusual system calls indicative of disk cloning operations.
- **Asset Management:** Disable the ability for standard users to install virtualization software (like VirtualBox) on corporate assets.
- **Domain Hardening:** Configure domain controllers to prevent machine account password updates or ensure that machine account password aging/reversion is managed robustly, to prevent reversion from causing the machine to fall out of domain trust.
## Related Tools/Techniques
- **Tools Used:** `dd`, `VBoxManage`.
- **Techniques:** Physical to Virtual (P2V) Migration, Snapshot-based Testing.
***
# Tool/Technique: CrowdStrike Falcon Agent EDR Disablement
## Overview
The attacker gained the capability to disable the CrowdStrike Falcon Agent EDR software after achieving full access to the underlying operating system disk via the BitLocker bypass/virtualization technique.
## Technical Details
- Type: Technique (Targeting Defense Evasion)
- Platform: Windows endpoint running CrowdStrike Falcon Agent
- Capabilities: Removal or disabling of a major commercial EDR solution.
- First Seen: N/A (Ongoing EDR evasion attempts are standard in advanced attacks)
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Specifically targeting the EDR)
## Functionality
### Core Capabilities
- **Agent Disablement:** Modifying the live filesystem or registry leveraged through the decrypted disk image to remove or disable the CrowdStrike Falcon agent.
### Advanced Features
- None specific to the agent itself are detailed, only the *intent* to disable it for subsequent exploitation (like running Mimikatz).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Modification/deletion of CrowdStrike related files/services.
- Registry Keys: Modification of `HKLM\SYSTEM\CurrentControlSet\Services\Cofang` or related keys to stop/disable the service.
- Network Indicators: Cessation of outbound telemetry from the endpoint to CrowdStrike infrastructure.
- Behavioral Indicators: Attempts to stop or remove EDR services via the system context (which was achieved by gaining SYSTEM access via disk manipulation).
## Associated Threat Actors
- Insider Threat Simulation, Advanced Persistent Threats (APTs)
## Detection Methods
- **Signature-based detection:** N/A (Assuming signature-based checks failed previously)
- **Behavioral detection:** Monitoring configuration changes or service stops related to the CrowdStrike service (`Cofang`). Monitoring for anomalous file operations on EDR binary locations.
- **YARA rules if available:** N/A
## Mitigation Strategies
- **EDR Resilience:** Implement tamper protection mechanisms within the EDR (not just reliant on OS file permissions) which prevent disabling even when an attacker has SYSTEM-level disk access to the binaries.
- **Privilege Management:** Strict least privilege enforcement prevents standard users from attaining the necessary access to initiate such modifications, even if the initial low-privilege foothold is successful.
## Related Tools/Techniques
- BitLocker Suspension Bypass, Virtualization for Sandbox Execution.