So with the drop of the ALPC 0Day (as of writing this), I decided to test the PoC on a machine running CarbonBlack Defense to see if the company I work for would be protected.
I started out with the write up from DarthSidious and followed his instructions to test.
Basically it was, open Process Explorer, download the PoC from Github, open a command prompt and Notepad. Get the PID of Notepad from Process Explorer and then watch the spool service for sub-processes (namely CMD.exe running as system).
As you can see, if you look at DarthSidious’ post it looks almost the same. There is an extra line that says “Couldn’t create remote thread 5.” This is interesting, so lets look at process explorer. In the post from DarthSidious at this point there is a cmd.exe subprocess to spoolsv.exe that is running as user NT AUTHORITY\SYSTEM. If the inject worked, that should be the same case, but when I looked at the spoolsv.exe service I saw this:
No sub-processes. Looks completely normal.
At this point I double checked that I did everything the exact way the blog post said to, and I had, so I went into the CarbonBlack Defense Console and immediately saw the following:
I know, it doesn’t say a lot other than an attack was stopped. Still, it is a promising thing to look at when testing. Clicking on the link into the potential malware gave me the following though:
Ah Ha! it sees the PoC try to inject and hit a deny policy. So it did stop it, but lets look a little further into the information CB Defense gives us:
Here we can see the process layout and the injection dotted line from the PoC. The summary shows that the InjectDLL.exe is completely unknown and CarbonBlack stopped the injection process. If we go into the investigate area off the block notification we see the following:
The items I found interesting from all of this is not just the TTPs, but that is saw the full command line, and shows that it was trying to deliver and exploit as the attack stage. From here I could take the hashes put them up to Virus Total, manually enter them into any protection service and pass the information onward, not that it would protect you because any chance or different file trying to use the exploit will change the hash. The bigger deal to me is that it stopped the attack with no other information than it being an unknown file and it tried to inject code.
I would hope that other EDR products would wind up stopping this attack in a similar fashion. I don’t have others to test unfortunately though. Still, with all the issues I have had with CB Defense, it is nice to see it do its job.
“Here we can see the process layout and the injection dotted line from the PoC. The summary shows that the InjectDLL.exe is completely unknown and CarbonBlack stopped the injection process” <— but it is nothing about 0day issue where you can change ACL of the dll via TaskJob and Hardlink… Cb can' not detect/block this.
What CB detect and block – is old good Injection which is not 0day….