Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

How to dismantle an atomic bomb

October 20, 2017

  • Blog
  • Archive

Security researchers at enSilo recently released a novel code injection technique for Windows known as ‘Atom Bombing’. This is so called because it exploits Windows atom tables and Async procedure calls (APC) to evade detection by many common security solutions.

Code injection can be a useful tool for an attacker as it can be used to make a legitimate application run malicious commands. As this technique exploits the design of the OS and not a bug in code it cannot be patched easily making it very desirable to attackers.

When testing the technique on Windows 10 we see that it is possible to inject shellcode into Chrome causing it to launch calc.exe. This shellcode could just as easily provide an attacker with a remote shell to access data and launch further attacks.

blog1

Figure 1- Atomic testing



So how does Defendpoint’s proactive approach help with this exploit?

Using multiple layers of security means there are many ways this attack can be contained and stopped. The most obvious one is based on the assumption that “an attacker was able to persuade a user to run a malicious executable, evil.exe”. This is the very reason that application allow listing is recommended as the #1 defence against attacks. From ransomware to atom bombing, if the payload can’t run the attack stops.

In fact, it is trivial for Defendpoint to stop the malicious .exe even with an out of the box allow list policy in place:

Blog2

Figure 2 - Allow listing blast door

For the sake of argument, let us assume that somehow the payload does run, maybe encoded into a macro script or chained with another application vulnerability. In this case the successful attack will only be able to exploit processes running in the same context as the payload. If we use privilege management to ensure the user is not using a local administrator account, we prevent the ability of the payload to elevate, or access privileged processes.

Even with access only to user mode processes, the attacker could leverage code injection in a trusted app such as Chrome to bypass application level firewalls and allow external access to user data. This is exactly why Defendpoint content isolation launches websites and email attachments in a secure sandbox. Because the Defendpoint sandbox runs under a separate restricted user account the exploit is unable to compromise processes that have access to the user data. This level of isolation provides great protection against threats such as ransomware that target user data, as well as Atom Bombing.

Blog 3

Figure 3 - Content isolation prevents exploit of a user process causing the exploit to error

Although the Atom Bombing approach initially appears very novel, there have been similar techniques used by malware families such as Carberp and Conflicker for several years. More commonly we have seen NtQueueApcThread calling LoadLibraryA to import a malicious dll or pointing to an infinite loop to prevent debugging. Again, by blocking payloads, limiting privilege and isolating content these attacks can be prevented.

As we have seen time and time again, the key to preventing attacks both old and new is to focus on proactively protecting the endpoint, and not rely on detection alone. If you control privileges, control execution and isolate content, you establish a secure foundation to build on. As Atom Bombing is primarily designed to bypass existing security controls, this shows how a proactive endpoint defence can underpin and protect the rest of your security stack.

James Maude

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 25, 2021

Customer Tips & Tricks: Remote Support for Android

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.