Tanium (other) EDR / HIDS avoidance

Posted

Got an interesting paste alert for : https://pastebin.com/XQuWZHU5
Had to make some changes (the url), but the steps the macro takes does avoid detection in our testing. Not to say it’s the most stealth or anything; it uses a macro, however does have a few new nuances that are interesting.
Very clever finding a character that is accepted as an “L” while not being an US-ASCII “L”. Then renaming the cmd.exe and certutil.exe to Chrome and Firefox will likely work as a bypass for a short time as well.
We found too that the paste hinted at another LOLbas, looks like in Tanium is looking for a “/y” in the esentult.exe rule, and has no rule for the “-y” argument! Now the En-Dash and Em-Dash, while clever for certutil, we could not find many exe’s accepting them, but there are others that did, the en-dash really looks like a normal dash in the logs, but the em-dash does stand out more, still that could certainly get past a junior analyst.
We’ll be informing Tanium of this shortly.
process.command_line contains ‘/y’ AND process.path ends with ‘esentutl.exe’
Just use “esentutl.exe -y“, there are probably dozens of similar “bypasses” of HIDS since many binaries accept multiple argument separators.

Author