The researcher reveals dangerous vulnerabilities in popular security solutions.
SafeBreach specialist Shmuel Cohen demonstrated that EDR solutions can be used as tools for conducting attacks. In the course of the study, Cohen analyzed one of the EDR systems, identifying vulnerabilities that could allow hackers to use such a tool to their detriment.
EDR systems that work with high privileges are designed to protect devices from various threats, including malware. However, compromising such systems can provide attackers with persistent and undetectable access to victims ' devices.
Cohen found that the behavior of the EDR under investigation allows you to bypass file modification protection, which makes it possible to run encryption software for extortion and even download a vulnerable driver to prevent EDR deletion using an administrator password.
In addition, the researcher found a way to inject malicious code into one of the EDR processes, allowing you to execute code with high privileges and remain undetected. Cohen also used the ability to modify Lua and Python files, which makes it possible to execute malicious code and gain access to the machine with the highest system privileges.
Using the vulnerable driver, Cohen could read and write to the system's kernel, which allowed him to change the management password check in EDR, making it possible to use any password, or even block the program from being deleted if it was disconnected from the management server.
The study highlights that attacks on EDR solutions can provide attackers with powerful capabilities that are likely to go unnoticed. Cohen notes that security products must carefully protect the logic of discovery processes, encrypt and digitally sign content files to prevent them from being modified. You should also add processes to the allowed or forbidden lists based on several parameters that the attacker should not be able to change.
Palo Alto Networks responded to Cohen's discovery by updating its security mechanisms and advising users to ensure that their systems are up-to-date. Cohen shared his research with the public to raise awareness of such threats and strengthen security measures in organizations.
SafeBreach specialist Shmuel Cohen demonstrated that EDR solutions can be used as tools for conducting attacks. In the course of the study, Cohen analyzed one of the EDR systems, identifying vulnerabilities that could allow hackers to use such a tool to their detriment.
EDR systems that work with high privileges are designed to protect devices from various threats, including malware. However, compromising such systems can provide attackers with persistent and undetectable access to victims ' devices.
Cohen found that the behavior of the EDR under investigation allows you to bypass file modification protection, which makes it possible to run encryption software for extortion and even download a vulnerable driver to prevent EDR deletion using an administrator password.
In addition, the researcher found a way to inject malicious code into one of the EDR processes, allowing you to execute code with high privileges and remain undetected. Cohen also used the ability to modify Lua and Python files, which makes it possible to execute malicious code and gain access to the machine with the highest system privileges.
Using the vulnerable driver, Cohen could read and write to the system's kernel, which allowed him to change the management password check in EDR, making it possible to use any password, or even block the program from being deleted if it was disconnected from the management server.
The study highlights that attacks on EDR solutions can provide attackers with powerful capabilities that are likely to go unnoticed. Cohen notes that security products must carefully protect the logic of discovery processes, encrypt and digitally sign content files to prevent them from being modified. You should also add processes to the allowed or forbidden lists based on several parameters that the attacker should not be able to change.
Palo Alto Networks responded to Cohen's discovery by updating its security mechanisms and advising users to ensure that their systems are up-to-date. Cohen shared his research with the public to raise awareness of such threats and strengthen security measures in organizations.
