GithubLinkedIn

Safe Haven for Post Exploitation

Disable the connectivity between the EDR agent and the EDR console.

Most EDR abuse tools existing today require at least local admin privileges on the machine. What makes this technique special is its usability with basic non-admin privileges to render the EDR blind.

In this post, we're diving into a technique to do exactly that. We're going to abuse Windows' built-in VPN client to force all of the EDR's critical communication through a VPN tunnel that we control. Once we own the pipe, we can silently drop the traffic, leaving the agent isolated and blind while our own activity continues unimpeded. It's an approach to create a safe haven for our post-exploitation activities.

The Core Concept: A Man-in-the-Middle on the EDR Itself

The goal is simple: Intercept and block the network communication between the SentinelOne agent on the compromised host and its management console in the cloud.

SentinelOne, like any cloud-managed EDR, relies on a constant heartbeat and the ability to send telemetry data back to its mothership. No communication means no alerts, no policy updates, and most importantly, no real-time blocking of our actions. We're not trying to disable the service; we're just cutting its lifeline.

The beauty of this method is that we achieve this by becoming a "trusted" network provider on the host. By leveraging the built-in rasdial functionality and the Routing and Remote Access service, we can establish a system-level VPN connection. This isn't a user-land VPN; this is a network interface that even privileged services are forced to use. We set up a VPN server we control (an EC2 instance is perfect for this), push a routing configuration that says "all of SentinelOne's traffic goes through my VPN," and then we simply... discard it.

Step 1: Footprinting the EDR's Communication Channels

First, we need to identify the destination IP addresses the SentinelOne agent uses to communicate with its console. From a non-admin command prompt, we can use built-in tools to observe these connections.

Screen1: Identify the IP used by SentinelOne agent to communicate

Step 2: Establishing the Rogue VPN Tunnel

Concurrently, we configure our attack infrastructure—a VPN server on an AWS EC2 instance. We use Windows' built-in SSTP VPN client for its reliability and use of TCP port 443, which is rarely blocked.

From the compromised host, we create and initiate a VPN connection to our server. This is done within the user's context and does not require elevation.

Screen2: Connect to the VPN and force the connection through the established VPN

Once authenticated, a new VPN interface is established. We can verify the connection is no longer possible and the console endpoint is inaccessible.

The EDR agent, thinking it's communicating normally, happily sends its data into a black hole. Meanwhile, our other C2 traffic can be routed out the normal interface or through a separate, dedicated tunnel, keeping us operational.

The result is precise and effective. The SentinelOne agent continues to generate and dispatch its telemetry. The operating system's routing table, following our rule, directs these packets into the SSTP VPN tunnel. They arrive at our EC2 instance, which we have configured to silently drop them. The agent's connection attempts stall and fail. From the perspective of the management console, the agent simply goes offline.

Evasion in Action: Executing with Impunity

With the EDR agent blinded, the environment becomes a safe haven for post-exploitation. Standard detection mechanisms are neutered. You can now execute a range of tools and techniques that would typically generate immediate alerts.

Common actions performed during our testing without triggering SentinelOne included:

  • Execution of credential access tools.

  • Lateral movement techniques.

  • Running script-based payloads.

  • Loading in-memory offensive toolkits.

The agent's process remains active, but its ability to report its findings to the security team has been surgically removed. This creates a critical gap in the organization's security visibility.

Detection and Mitigation: A Blue Team Perspective

This technique, while effective, is not entirely invisible. Defenders should look for several key indicators of compromise:

  • User-Initiated SSTP Connections: Unusual SSTP VPN connections originating from user workstations to unknown external IP addresses, especially cloud infrastructure IPs, are a primary indicator.

  • Route Command Usage: Command-line arguments adding persistent routes (route -p add) are highly suspicious, particularly when associated with a VPN interface.

  • Process Tree Anomalies: The sequence of rasphone or rasdial followed by route.exe should be considered a high-fidelity alert when correlated with EDR agents losing connectivity.

  • Agent Health Monitoring: Sudden, unexplained losses of agent communication from otherwise healthy hosts should be investigated immediately, not just dismissed as network issues.

Mitigation strategies should focus on restricting the ability to create unauthorized network routes:

  • Restrict VPN Creation: Implement Group Policy to prevent users from creating their own VPN connections.

  • Least Privilege: Enforce the principle of least privilege. While the initial attack works without admin, limiting local administrator access remains critically important for other defenses.

  • Network Monitoring: Deploy network detection rules to flag outbound SSTP connections from workstations and the establishment of new, persistent routes.

  • Host-Based Firewall Rules: Consider using host-based firewalls to block the EDR agent from communicating over any interface other than the primary corporate one.

Conclusion

This technique demonstrates a significant weakness in the assumed security model of many EDR products: their reliance on user-accessible operating system features for their own communication. By abusing the built-in Windows VPN client and routing table, we can selectively blind the agent without touching its processes, without injecting code, and without administrative privileges.

It serves as a reminder that effective security requires a defense-in-depth approach, where endpoint protection is complemented by robust network monitoring and strict application control. The arms race between offensive and defensive security continues, and understanding these underlying techniques is crucial for defenders to build more resilient environments.

Credits

The experiment is inspired by https://trustedsec.com/blog/abusing-windows-built-in-vpn-providers

PreviousPhish like an APTNextChrome Ad Block Extension

Last updated