Full Report
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for diving into AV/EDR bypass techniques again. In this blog post, I will demonstrate how to re-weaponise the old “DoubleAgent” technique, making endpoint security products do the hacking work for us. One known vector to shimmy past AV solutions is to use process injections. At BlackHat 2019, a number of process injection techniques were presented by Itzik Kotler. A typical code injection implementation using known WINAPI functions, such as the combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread are well known by endpoint security solutions and will often raise alerts. Whether static or dynamic analysis kicks in, the chances of remaining undetected when using these functions are close to NULL. Alas, the cat and mouse game keeps going endlessly.
Analysis Summary
# Tool/Technique: DoubleAgent
## Overview
DoubleAgent is a technique/vulnerability originally disclosed by Cybellum in 2017, which allows for persistent code injection into legitimate Windows processes, specifically targeting Anti-Virus (AV) and Endpoint Detection and Response (EDR) agents. The re-weaponized version discussed leverages legitimate Windows functionality, specifically the **Application Verifier**, to hook into processes upon execution, ensuring persistence even across reboots, reinstalls, or patches of the targeted software.
## Technical Details
- Type: Technique (leveraging a pre-existing application feature)
- Platform: Windows
- Capabilities: Code injection into legitimate processes (AV/EDR primarily), persistent execution across system restarts, abuse of legitimate Windows functionality (Application Verifier).
- First Seen: Disclosed in 2017 (Original vulnerability). The re-weaponization/PoC is discussed in the context of April 2020.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1564.003 - Impersonation: Hide Artifacts (Related to Masquerading/Hiding injected code within legitimate processes)
- **TA0003 - Persistence**
- T1183 - Windows Management Instrumentation Event Subscription (Historically associated with DoubleAgent persistence mechanism utilizing Image File Execution Options manipulation)
- Note: While the article explicitly maps the persistence mechanism to T1183, modern interpretations often link the *execution* path through IFEO/Application Verifier to the broader concept of **T1546.012 - Event Triggered Execution: AppInit DLLs** conceptual space or direct process injection, as IFEO is a known persistence mechanism. T1183 refers specifically to WMI subscription persistence, but the article states MITRE classified the technique under T1183 in Jan 2018.
## Functionality
### Core Capabilities
- **Persistent Code Injection**: Injects a malicious DLL into a target process (e.g., AV/EDR processes like Cylance, or system processes like `spoolsv.exe`).
- **Persistence Mechanism**: Achieves persistence by forcefully binding the malicious DLL injection to a process via configuration changes that survive reboots, uninstalls, and patches.
- **Hijacking Legitimate Functionality**: Abuses the Windows **Application Verifier** tool functionality, similar in effect to Linux's `LD_PRELOAD`.
### Advanced Features
- **AV/EDR Evasion**: By injecting into security products themselves, the attacker attempts to blind the primary defense mechanisms.
- **Privilege Escalation Potential**: Demonstrates the ability to inject into system-level processes like `spoolsv.exe` (which runs as SYSTEM), offering a route for privilege escalation from Admin to SYSTEM without relying on known tools like PsExec.
- **Circumventing Standard Injection Detection**: Avoids common, easily detectable code injection API sequences (`VirtualAlloc`, `WriteProcessMemory`, `CreateRemoteThread`).
## Indicators of Compromise
- File Hashes: Not provided in the summary text.
- File Names: DoubleAgent DLL (Hypothetical), `CylanceUI.exe` (Target process example), `spoolsv.exe` (Target process example).
- Registry Keys:
- `HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PROCESS_NAME`
- `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`
- Network Indicators: None explicitly mentioned or demonstrated in the re-weaponized PoC described.
- Behavioral Indicators:
- Sysmon Event ID 12 (Registry object creation/deletion related to IFEO keys).
- Sysmon Event ID 13 (Value set for a registry entry within the IFEO paths).
- Attempting to create a memory dump of LSASS from within the injection target process (e.g., Cylance process).
## Associated Threat Actors
- Not explicitly named in the article regarding the re-weaponization, but the original DoubleAgent was disclosed by Cybellum. The analysis suggests that many threat actors are likely already using armed PoCs derived from this technique.
## Detection Methods
- **Signature-based detection**: Expected to be poor against the DLL payload itself if dynamically loaded.
- **Behavioral detection**: Blue Teams can detect the underlying persistence mechanism by monitoring the succession of Sysmon events related to registry manipulation under the Image File Execution Options (IFEO) path.
- **YARA rules**: Not explicitly detailed.
## Mitigation Strategies
- **Monitoring Registry Changes**: Implement strong monitoring, leveraging Sysmon events (ID 12 and 13), specifically targeting the creation and modification of keys under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`.
- **Patch Management**: Given that the original vulnerability is old, ensuring all security products are fully patched and up-to-date limits the technique's effectiveness if vendors have updated their self-protection mechanisms.
- **Process Hardening**: Understanding and hardening the specific processes targeted by the AV/EDR to reduce the impact of successful injection.
## Related Tools/Techniques
- Standard Process Injection techniques using `VirtualAlloc`, `WriteProcessMemory`, and `CreateRemoteThread`.
- `LD_PRELOAD` (Linux equivalent concept for function hooking).
- PsExec (Mentioned as an alternative mechanism for privilege escalation that DoubleAgent could replace).