sophos intercept x
Products and Services PRODUCTS & SERVICES

Intercept X’s new secret weapon: Dynamic Shellcode Protection

Written by
March 09, 2021
Products & Services Gootloader Intercept X ransomware attacks SolarWinds Sophos Intercept X

To achieve true defense in depth, endpoint protection needs to be able to detect all types of attack tools and techniques, not just malware.

Attackers increasingly rely on non-malware, or fileless, attack techniques to gain remote access to victim networks.

These remote access agents have been notoriously hard to detect and block due to their configurability and their ability to hide from your defenses.

Dynamic Shellcode Protection is an exciting new addition to Sophos Intercept X, designed to prevent active adversaries from achieving one of their most sought-after goals: using remote access agents to gain “hands on keyboard” privileges.

Adversaries love remote access agents

Adversaries plant agents to give them remote access to a system so they can conduct more robust attacks. They are a favorite post-exploitation tool used in “living off the land” attacks, enabling the attacker to issue commands, scope a victim’s environment, or drop ransomware.

Remote access agents have recently been used in high profile attacks like SolarWinds and Gootloader. The adversary takes control of an already running process and controls it for their own use.

Using the analogy of a plane hijacking, while other steps in the attack chain give the attackers access to the cockpit, it’s the remote access agents that give them the ability to control the plane. To make the situation even more difficult, even after the attacker is ejected the shell they leave behind can still be used to remotely control the plane.

Dynamic Shellcode Protection in Intercept X

Dynamic Shellcode Protection is a system-level mitigation that detects the behavior of covert remote access agents and prevents attackers from gaining control of victim’s networks.

This game-changing feature is included and enabled in all Intercept X Advanced and Intercept X Advanced with EDR subscriptions for both endpoint and server. It protects against advanced, stealthy malware and memory-delivered post-exploitation agents. It doesn’t rely on signatures, machine learning, or the cloud; instead it focuses on suspicious behavior.

Suspicious behavior includes identifying processes that create a remote agent inside another process. This allows attackers to come in through one application and migrate to another application while maintaining a connection to their command and control systems. It also gives them the ability to hide their tracks and establish persistence on the device.

With Dynamic Shellcode Protection, Intercept X customers can take comfort in knowing they now have even stronger protection against remote access trojans, fileless malware, and ransomware attacks.

Learn more

For a technical deep dive into this attack technique and how Dynamic Shellcode Protection stops it, read Mark Loman’s excellent article.

To learn more about Intercept X and to start a no-obligation free trial, visit our website.

About the Author

Seth Geftic is a Director at Sophos focusing on endpoint security. Prior to joining Sophos he was a Director of Product Marketing at Invincea (acquired by Sophos in 2017). Seth was previously a Senior Manager in the Advanced Security Operations Center (SOC) Solution group and the cybercrime team at RSA. Seth is an industry expert in fields of endpoint security, breach detection, incident response, fraud, and cyber threats. Seth holds a BSBA in both Marketing and Finance from Washington University in St. Louis and is a CISSP.

Read Similar Articles

Leave a Reply

Your email address will not be published. Required fields are marked *