News thumbnail of the Security Scorecard logo, with Security Scorecard branding
Exclusive Networks Turns on Ignition to Accelerate SecurityScorecard Across EMEA
April 6, 2022
Blog thumbnail of the Ignition and Abnormal logos
How Abnormal Security Is Leveraging Artificial Intelligence
January 31, 2023

The Dark Side of Pen Testing

Posted by Ignition Technology

July 14, 2022

The Brute Ratel C4 (BRc4) red-teaming and adversarial attack simulation tool was released in December 2020. The most recent “Sicilian Defense” version was released in May 2022. Similar to Cobalt Strike, this tool has been embraced by legitimate adversary groups (APT actors and alike).

It provides a framework for developing pen testing tools, using a wide variety of techniques and attack vectors. All known Indicators of Compromise (IoCs), including samples, are convicted by CylancePROTECT.

The Force of BlackBerry Cylance

CylancePROTECT is the world’s first math- and machine learning-based endpoint protection product that detects previously “unknown” malware and prevents it from executing. It operates by analysing potential file executions for malware in less than 100 milliseconds.

Memory Protection

CylancePROTECT’s memory protection abilities are similar to those found in modern host intrusion prevention systems, but without the configuration complexity. Memory protection adds an additional layer of security and strengthens the OS’s basic protection features like data execution prevention, address space layout randomisation and enhanced mitigation experience toolkit.

BlackBerry Protect’s MemoryProtection is a great defense against attacks employing red-teaming tools such as BRc4 or Cobalt Strike, particularly considering payloads often execute in-memory and without the use of CMD.exe or PowerShell.exe. Script Control can also help prevent the delivery of red teaming stagers.

BlackBerry’s Recommendations

Due to the degree of configurability, BlackBerry recommends customers activate as many of the MemoryProtection options as they can (excluding any which may impact their environment), but in particular, the following options:

  • Exploitation – Malicious Payload
  • Exploitation – System DLL Overwrite
  • Process Injection – Remote Thread Creation
  • Escalation – LSASS read

Protect Detection

BlackBerry recommends that Script Control be enabled for all script types, and for customers using version 1580 or higher, activation of ‘Dangerous VBA Macro’ and ‘Dangerous COM Object’ violation types under Memory Actions.

Optics Rules  

Script Control coverage (available with Optics):

– Hidden Powershell Execution

– PowerShell Encoded Command

– Fileless PowerShell Malware

– Powershell Download

– One-Liner ML Module

When deployed on servers, PROTECT’s memory protection capabilities prevent the exploitation of many of the most common classes of vulnerabilities, such as exploits for buffer overflows and uses-after-free. For more information, please contact the team by emailing blackberry@ignition-technology.com.

By Phill Parry, Senior Systems Engineer at Ignition Technology

 

 

References

https://unit42.paloaltonetworks.com/atoms/brute-ratel/

https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

https://amp.hothardware.com/news/evasive-malware-dodges-detection-over-50-av-scanners

https://www.csoonline.com/article/3666508/attacker-groups-adopt-new-penetration-testing-tool-brute-ratel.html

Related posts

This website uses cookies to improve your experience. By using this website you agree to our Data Protection Policy.
Read more