![Building](https://res.aon.com/image/fetch/ar_16:9,c_fill,f_auto,g_auto,h_184,w_327/https://assets.aon.com//-/media/images/photos/places/city-dallas-buildings-1288537096.jpg)
Support
Aon's Stroz Friedberg Incident Response Services ("Stroz Friedberg") recently discovered a previously undocumented method used in the wild to bypass Endpoint Detection and Response ("EDR") products and eventually deploy ransomware. This method does not exploit any flaws in the EDR itself, but rather the inherent host-guest relationship of hypervisor servers and the virtual machines that they host. The technique involves mounting a virtual machine’s hard disk file on the host hypervisor server and deleting the EDR program files from the mounted volume. After the virtual machine is rebooted, the EDR is no longer present, leaving the virtual machine unprotected against malicious programs. This method is a simple yet effective way for threat actors to disable EDR from virtual machines hosted on a hypervisor.
In the incident observed by Stroz Friedberg, threat actors escalated privileges and moved laterally to access a Windows 2012 Hyper-V server. At the time of the incident, an EDR solution was installed both on the Hyper-V server and its guest virtual machines. Even though the threat actor had administrative access to the network, the EDR in place likely acted as an obstacle to executing the ransomware binary.
Hyper-V is a virtualization technology, debuted on Windows Server 2008, that allows users to create and manage virtual machines within the Windows operating system. The host machine, or hypervisor, can host one or more virtual machines of various operating systems. The guest machine’s data is stored in a virtual hard disk file (.vhd or .vhdx). This setup requires less physical hardware and reduces operational costs, making it popular in many corporate networks.
CyberCX previously documented1 an EDR bypass technique that involved abusing administrative access to a hypervisor to create a new virtual machine without EDR installed. Malware was then deployed from this new, clean virtual machine. In the incident observed by Stroz Friedberg, the threat actor faced the same obstacle of EDR on hypervisor guest systems but used a different technique to circumvent it.
After logging into the hypervisor with administrative access, the threat actor turned off one of the guest virtual machines and mounted the associated vhdx file, attaching the guest virtual machine’s operating system drive as the data drive (H:) on the hypervisor. Subsequently, the threat actor recursively deleted the H:\Program Files\{EDR TOOL} folder from the virtual disk. If a user attempted to delete that folder from within the virtual machine when it was powered on, the operation would have failed due to the protections offered by the EDR and the operating system. Since the virtual machine was off, and there was no running operating system or EDR protecting those EDR program files, the folder deletion operation was successful. After removing the files, the virtual machine was restarted and booted without any EDR program files, allowing the threat actor to regain the same network access as before, but now without any EDR protection to mitigate potential threats.
In this instance, the threat actor logged into this virtual machine and executed a ransomware executable from this host, targeting every other host on the network for remote encryption. This is an example of how just one host on a network without EDR can compromise other systems that do have EDR. To execute this type of ransomware, the threat actor needed a system with SMB access to the network where they could run their malicious code. The EDR on the target systems alerted that a ransom event was occurring but did not prevent the encryption from happening.
Although the incident described above occurred in a Hyper-V environment, the technique is not exclusive to Hyper-V or the Windows operating system. The primary requirement for this method is the ability to mount virtual disk files on a hypervisor, which can be accomplished through many ways across hypervisors.
Once a threat actor has administrative access to a hypervisor, protecting the hosted virtual machines becomes a challenge. It is critical to take preventative measures to restrict unauthorized access. Consider the following methods to harden access to the hypervisor in your environment:
For additional Hyper-V specific security recommendations, please refer to Microsoft's official guidance on hypervisor hardening and best practices.
Additionally, organizations can make efforts to detect this EDR bypass technique by alerting on or implementing an automated response when one of the following events is detected.
The fidelity of these indicators can vary depending on the baseline activity within an environment. Fine-tuning thresholds, excluding known maintenance periods, and aligning alerts with typical activity can help reduce false positives.
If you suspect you are compromised or need assistance in assessing compromise, please call our Incident Response hotline. If you are from a Law Enforcement Agency or Endpoint Detection and Response vendor and wish for more details, please contact Aon Cyber Solutions.
Support
About Cyber Solutions:
Aon’s Cyber Solutions offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document. While care has been taken in the preparation of this material and some of the information contained within it has been obtained from sources that Stroz Friedberg believes to be reliable (including third-party sources), Stroz Friedberg does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article and accepts no liability for any loss incurred in any way whatsoever by any person or organization who may rely upon it. It is for informational purposes only. You should consult with your own professional advisors or IT specialists before implementing any recommendation or following the guidance provided herein. Further, we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. Further, this article has been compiled using information available to us up to 11/11/2024.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
Expert Views on Today's Risk Capital and Human Capital Issues
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Cyber Labs 3 mins
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
Cyber Labs 8 mins
Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.