Sometimes when you are in the middle of an engagement, you will come across a hurdle which requires a quick bit of research, coding, and a little bit of luck. This was the case with a recent engagement in which we came across Cisco AMP, an endpoint protection technology which provides analysis of processes, provides spawn chains, and exposed a bunch of the other goodies you have come to expect from EDR products, including our old friend…. self-protection.
We’ve explored self-protection techniques over a number of posts, often looking at just how the technology can be bypassed on Windows and MacOS operating systems. In this post I want to show another method which can be used to work around this protection, and which was effective against the Cisco AMP agent on Windows.
Read the full post over on MDSec's blog here.