« Back to home

Cisco AMP - Bypassing Self-Protection

Sometimes when you are in the middle of an engagement, you will come  across a hurdle which requires a quick bit of research, coding, and a  little bit of luck. This was the case with a recent engagement in which  we came across Cisco AMP, an endpoint protection technology which  provides analysis of processes, provides spawn chains, and exposed a  bunch of the other goodies you have come to expect from EDR products,  including our old friend…. self-protection.

We’ve explored  self-protection techniques over a number of posts, often looking at just  how the technology can be bypassed on Windows and MacOS operating systems. In this post I want to show another method which can be used to work around this protection, and which was effective against the Cisco  AMP agent on Windows.

Read the full post over on MDSec's blog here.