Bypassing cisco’s sourcefire amp endpoint solution – full demo
-
Upload
rajivarnan-r -
Category
Software
-
view
264 -
download
0
Transcript of Bypassing cisco’s sourcefire amp endpoint solution – full demo
![Page 1: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/1.jpg)
Bypassing Cisco’s Sourcefire AMP endpoint solution – Full demo & comparison with RSA NWE
This article will demonstrate one of the key differences between NG AV endpoint protection and EDR solutions such as RSA NetWitness for Endpoints. In this article, we will demonstrate how Cisco’s endpoint protection solutions Sourcefire AMP is easily bypassed by performing a buffer overflow and in-memory post exploitation activities. This test was performed on a fully patched Windows 10 machine with an active MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed.The setup used for this test was the following:
Windows 10 client protection verification
![Page 2: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/2.jpg)
Vulnerable application is installed and running
Cisco SourceFire AMP does not find any issues on the clean machine
![Page 3: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/3.jpg)
AMP tracking information does not highlight any suspicious activities
RSA NWE does not find any suspicious activities on the clean machine
![Page 4: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/4.jpg)
Attacker – KALI setting up exploit & payload module
![Page 5: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/5.jpg)
Running remote buffer overflow exploit
No alerting from either Cisco AMP or MS Defender…
![Page 6: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/6.jpg)
Attacker runs additional post exploitation activities such as a keylogger
Attacker searches and downloads password.txt & creates a screenshot
![Page 7: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/7.jpg)
Attacker performs a ARP network scan
Attacker start an interactive SHELL and runs WHOAMI & IPCONFIG commands
![Page 8: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/8.jpg)
Still no alerting from either Cisco AMP or MS Defender…
Cisco AMP does not detect or notifies on exploit and post exploit activities….
![Page 9: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/9.jpg)
Now let’s look at RSA NWE
![Page 10: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/10.jpg)
![Page 11: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/11.jpg)
![Page 12: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/12.jpg)
![Page 13: Bypassing cisco’s sourcefire amp endpoint solution – full demo](https://reader034.fdocuments.us/reader034/viewer/2022052705/587ddf161a28abaf6b8b503d/html5/thumbnails/13.jpg)