+34 900 840 407
support@cytomic.ai

Information regarding Exploit techniques in Advanced EPDR/EDR

Related Products_
  • Advanced EPDR
  • Advanced EDR
Introduction_

In Advanced EPDR/EDR, the exploit techniques that have been detected are shown within the Activity of exploits information panel, along with the program that has been compromised:

Next you will find the different techniques monitored, as well as a brief description:

Exploit/Metasploit
The Metasploit Framework is a testing platform that enables the creation, testing, and execution of exploit code. If Advanced EPDR/EDR products detect a metasploit shellcode signature, it appears as a Metasploit exploit technique.

Exploit/ReflectiveLoader
Reflective DLL injection uses reflective programming to load a library from memory into a host process without detection. If Advanced EPDR/EDR products detect a reflective executable loading (for example, metasploit or cobalt strike), it is flagged as a Reflective Loader exploit technique.

Exploit/RemoteAPCInjection
The asynchronous procedure call (APC) queue can be used to inject malicious code into a process in order to evade process-based defenses as well as possibly elevate privileges. APC injection executes arbitrary code in the address space of a separate live process. If Advanced EPDR/EDR products detect remote code injection via an APC, it is flagged as a Remote APC Injection exploit technique.

Exploit/DynamicExec
Code injections occur when applications allow the dynamic execution of code instructions from untrusted data. An attacker can influence the behavior of the targeted application and modify it to get access to sensitive data. If Advanced EPDR/EDR products detect the execution of code in pages without execution permissions (32-bits only), it is flagged as a Dynamic Exec exploit technique.

Exploit/HookBypass
Hooking refers to the interception of function calls, system events, or messages. The code snippets that perform these interceptions are called hooks. If Advanced EPDR/EDR products detect a hook bypass in a running function, it is flagged as a Hook Bypass exploit technique.

Exploit/ShellcodeBehavior
Shellcode is a small piece of machine code used as the payload in the exploitation of a software vulnerability. An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability. If Advanced EPDR/EDR products detect the execution of code on MEM_PRIVATE pages that does not correspond to a PE, it is flagged as a Shellcode Behavior exploit technique.

Exploit/ROP1
Return-oriented programming (ROP) is an exploit technique that enables attackers to control the call stack and program control flow. The attacker then executes machine instruction sequences that are already present in the machine memory. These instructions usually end in a return instruction and are located in a subroutine within an existing program or shared library code. If Advanced EPDR/EDR products detect the execution of memory management APIs when the stack is out of the thread limits, it is flagged as an ROP1 exploit technique.

Exploit/IE_GodMode
Windows God Mode enables you to quickly access administrative tools, backup and restore options, and other important management settings from a single window. This includes Internet options. If Advanced EPDR/EDR products detect God Mode in Internet Explorer, it is flagged as an IE_GodMode exploit technique.

Exploit/RunPE
RunPE is a type of malware that hides code inside a legitimate process. It is sometimes referred to as a hollowing technique. If Advanced EPDR/EDR products detect process hollowing techniques or RunPE, it is flagged as a RunPE exploit technique.

Exploit/PsReflectiveLoader1
Reflective loaders are commonly used by hackers to extract sensitive information, such as passwords and credentials from system memory. If Advanced EPDR/EDR products detect a PowerShell reflective loader, such as mimikatz, it is flagged as a PsReflectiveLoader1.

Exploit/PsReflectiveLoader2
Reflective loaders are commonly used by hackers to extract sensitive information, such as passwords and credentials from system memory. If Advanced EPDR/EDR products detect a PowerShell reflective loader, such as mimikatz, on a remote computer, it is flagged as a PsReflectiveLoader2.

Exploit/NetReflectiveLoader
Reflective loaders are commonly used by hackers to extract sensitive information, such as passwords and credentials from system memory. If Advanced EPDR/EDR products detect a NET reflective loader, such as Assembly, Load, it is flagged as a NetReflectiveLoader exploit technique.

Exploit/JS2DOT
js2-mode is a JavaScript editing mode for GNU Emacs (free, customizable text editor). If Advanced EPDR/EDR products detect a JS2DOT technique, it is flagged as an exploit technique.

Exploit/Covenant
Covenant is a .NET collaborative command and control platform for cybersecurity professionals. If Advanced EPDR/EDR products detect the Covenant framework, it is flagged as an exploit technique.

Exploit/DumpLsass
Adversaries can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). If Advanced EPDR/EDR products detect an Lsass process memory dump, it is flagged as an exploit technique.

Exploit/APC_Exec
Adversaries can attempt to inject malicious code into processes in the asynchronous procedure call (APC) queue in order to evade process-based defenses or elevate privileges. APC injection is a method of executing arbitrary code in a separate live process. If Advanced EPDR/EDR products detect local code execution through APC, it is flagged as an APC_Exec exploit technique.

Exclusions

Additionally, the possibility of excluding the detection of a technique for a specific program has been added. In this way, in the event that the client wants to allow, for whatever reason, an exception for a specific process or program, it can be done, and continue to protect the rest of the processes against this attempt of an exploit.

To do this, in the detection of the exploit, within the tooltip accessible from Action, there is the option Do not detect again.