Bypassing cisco’s sourcefire amp endpoint solution – full demo
1. Bypassing Cisco’s Sourcefire AMP
endpoint solution – Full demo &
comparison with RSA NWE
This article will demonstrate one of the key differences between NG
AV endpoint protection and EDR solutions such as RSA NetWitness for
Endpoints. In this article, we will demonstrate how Cisco’s endpoint
protection solutions Sourcefire AMP is easily bypassed by performing a
buffer overflow and in-memory post exploitation activities. This test
was performed on a fully patched Windows 10 machine with an active
MS Defender, MS Firewall, Cisco AMP & RSA NWE agent installed.
The setup used for this test was the following:
Windows 10 client protection verification
2. Vulnerable application is installed and running
Cisco SourceFire AMP does not find any issues on the clean machine
3. AMP tracking information does not highlight any suspicious activities
RSA NWE does not find any suspicious activities on the clean machine