Tanium has gained much popularity in the past few years. Those jumping on the Tanium train need to beware. If your company uses Tanium, your data is at high risk, IMO. Their “peer chain” model, and the lack of encryption of that data, are insecure and should not be trusted.
This article is about Tanium: https://www.Tanium.com/products/
UPDATE: 09 May 2018. The DoD IG is opening an investigation into the acquisition of Tanium: https://media.defense.gov/2018/Apr/17/2001904705/-1/-1/1/D2018-D000CU-0125.000.PDF
UPDATE: 16 Jan 2018. I’ve received dozens of responses in the last four months about this article via email, phone calls, text, DM, and in person. Here’s a breakdown of those responses:
If you have made it an acceptable practice to believe vendor smoke-and-mirrors over evidence, then you might as well stop reading now. This article is only intended for readers that are willing to admit that many vendors fail us and for companies that are willing to invest time verifying vendor (and researcher) claims. For the nay-sayers, your company’s security is at stake. If you care about your stakeholders, you need to be open to the idea that not all vendors provide the level of security they claim to.
By the end of this article, I hope to bring to light the vulnerabilities associated with not only Tanium, but also all of the peer-to-peer (P2P) EDR architectures on the market: Accelerite Sentient, Fidelis Endpoint, etc. I also hope to inspire other security researchers who have Tanium installed, and Penetration Testers (pentesters) who may have access to an install through their clients, to run this product through the ringer. Don’t forgot to post your successes, screenshots, and exploit code!
To be upfront, I do not have access to a full Tanium install and have not found a free/modest priced solution to acquire it. I initially obtained all information through Tanium’s website. Additionally, I gained access to the client software and a list of customers – a little more than just “information”, but it is minimal, as you’ll see below.
Using information from their website, and logical reasoning, I will provide you with speculations, if you will, that you can test on your own. Because of this, there will be “challenges” to complete for those of you who currently have Tanium installed. Your mission will be to prove (or disprove) these speculations.
UPDATE: 16 Jan 2018. As seen in the above update, 40% of respondents have verified at least one of these speculations, 27% have verified all of them. If you are struggling to verify them on your own, please reach out to me.
This article, for consistency and an attempt at brevity, uses all windows examples. Linux and Mac would suffer the same exact flaws, though, and in many cases, would probably be even more trivial to pull off.
This article focuses solely on attack vectors against Tanium from the endpoint, unless otherwise noted.
The first Tanium feature that one must understand is that it distributes defined scripts (aka sensors) and their parameters to all endpoints, runs the script, and returns the results.
When a “question” (aka query) is run, they run against “sensors” (aka scripts) on the endpoints. “Sensor is a script that is executed on an endpoint” and returns the result. Some “sensors” are “parameterized sensors” and “accept a value specified at the time the question is asked”. Source: https://docs.Tanium.com/interact/interact/questions.html
Ask yourself, “How securely do they treat these scripts and parameters, and why does it matter?”
First, the why it matters. If an attacker can acquire a copy of these scripts, they would get a general idea of what your detection capabilities are. Example: You’re looking for certain processes with certain parameters, or maybe files with certain names or file content, various registry key entries and values, IPs, file hashes, etc. The level of detail would be dependent on how much you write into your sensor/script that is deployed.
For some scripts/sensors an attacker, should they gain access, may not know anything more than the fact you are looking for file hashes (for example). To know more, they would also need to see the parameters being used against the “parameterized sensors/scripts”. If an attacker gains access to those parameters as well, or maybe even instead of the script, they will know exactly what you are looking for: file hash == XYZ (for example).
File hashes is a lame example, as any advanced security team will not waste their time building their custom detection capabilities around traditional “IOCs” (IPs, hashes, domains/URLs, etc). But, that’s another topic! For more info on traditional IOCs vs TTP, read here: https://penconsultants.com/blog/traditional-iocs-suck/
On that note, see for yourself how Tanium is with modern detection capabilities. Google this: “site:tanium.com ttp”. Nothing. Do that for any other major EDR vendor, and you get hits.
Why does all of this matter? If an attacker knows what you are looking for (and what you are suppressing) they can avoid all detections! Read here for more info on that topic: https://penconsultants.com/home/crown-jewels-monitoring-vs-mitigating/.
Where are the scripts stored? Hmmmm, wonder what’s in this “sensors” folder…
What about the parameters? If you have access to Tanium, and an inquisitive mind, here’s one area you can do a little exploring.
Tools needed: including, but not limited to…
Consider what kind of data the endpoints are sending back up the chain in response to certain questions:
These are just a few of the built-in search capabilities in Tanium. There were many I saw on their site throughout the examples in the docs. Would you consider any of these examples to be sensitive data? Best case scenario, this data is a treasure trove of recon data for an attacker. How confident are you with your apps and users following best practices to minimize exposure of things like passwords and crypto keys in command history, logs, process lists, etc.? How many times are your vendors telling you to do things that dumb? Is Tanium demonstrating best practice for specifying the password for use in psexec on this page?
How often do you think users slip up and put their password in the username field of a prompt, or miss the hidden command line prompt and enter their password as a (invalid) command, etc? If your answer is not often, you have obviously never reviewed detailed log data from your environment.
As we saw above, “sensors” (aka scripts) run on endpoints with/without parameters. Obviously that doesn’t do a lot of good from a detection standpoint unless you see the results. Ask yourself: As a developer, what are the different ways one can capture output from a script that is run? The most secure way would be to capture stdout/stderr directly. Based on what we already know about this vendor, what methods(s) do you think they use?
Tools needed: including, but not limited to…
If you haven’t pulled Tanium out of your environment by this point, and/or taken an oath to never purchase a P2P based “security” product again, you must have some serious risks mitigation Kung Fu. Let’s take you up a rank.
Tanium states that their architecture is a peer chain model with up to 100 peers per chain (by default). The default scope for the peer chain is the endpoint’s class C address space, “clients within the boundary of the /24 subnet form a linear chain of 100 clients, and then another chain of 100 clients, and so on”. There is a lot more here, if interested: https://docs.Tanium.com/client/client/client_peering.html
The way the peer chain works: The server asks a “question” (aka query), and sends that to the handful (depending on the size of your network) of “peer leaders”. The peer chain leader forwards that question/query to its next hop peer in its peer chain. The second peer does likewise and so on until each peer receives the question. (https://docs.Tanium.com/client/client/overview.html)
This is a good thing, right?
But, why introduce the latency with the peer chains at all? TCP/IP latency and overhead are rather minimal compared to the volume of data, especially results, that are being sent around the chain. How does the peer chain model make things faster and give the “15 second” speeds?
“By decentralizing data collection, aggregation and distribution down to the endpoint…”. Oh, got it. Each peer dedupes data coming across the peer chain, which reduces the load on the sever by up to 100x.
Tools needed: including, but not limited to…
Let me ask you a question. What makes the best lie? One that has some truth embedded in it, right? IMO, there are a large percentage of vendors who lie to make a sale and keep a customer. There are certainly vendors who are, for the most part, honest at every level. In my many years of experience in the infoSec field, though, the liars far outweigh the honest vendors. Question everything a vendor tells you. The honest vendors will appreciate your questions and be more than happy to prove their statements.
Here’s a great example that Tanium customers should grill the vendor on. “512-bit Elliptic Curve Cryptography is used for queries and actions distributed across the network to prevent man-in-the-middle attacks or other malicious behavior initiated by compromised endpoints”. (Source – broken link as of 2022: https://info.Tanium.com/Platform_Architecture) Notice anything missing? What about the results of those queries? Will that be encrypted? I found no reference to this on their website.
Elliptic Curve Cryptography is a type of asymmetric (or public key) cryptography. For an endpoint to protect data confidentiality and ensure only the server will see that plaintext data, it must encrypt the data with the server’s public key (before sending). Then, and only then, can the endpoint ensure only the server will be able to decrypt with its private key. If that private key were held by anyone other than the server, they would be able to see the plaintext data.
As you should have discovered from the previous challenges, it would be impossible for peers to perform deduplication/aggregation with other peers if they were unable to see cleartext/plaintext data. A logical person should question whether or not the sensitive data from the entire network is being encrypted end-to-end or not. The answer is obvious: it’s not.
In the industry, this would be considered a vulnerability known as a failure to protect data confidentiality. See “Six Elements of Information Security” (circa 1998), “CIA triad” (circa 1988), or “Secure Computer Systems” (by LaPadula and Bell, 1976). Data confidentiality, through encryption, has been a well-respected industry standard for decades. For Tanium, they appear to have excluded encryption…intentionally!
Looking at it from a different angle, ask yourself, would you be okay logging into your bank account over an non-TLS protected connection? And, what about routing that unencrypted traffic through 100’s of your neighbors’ networks? Of course you wouldn’t! But, this is what Tanium is doing with the endpoint’s data which could, depending on your queries, contain the same type of sensitive information.
This one blows my mind. “Clients provide answers…using hashes”. “Example…a value of ‘192.168.1.1’…would instead pass back as…’389956048’” (https://kb.Tanium.com/Asking_Questions). So, instead of encrypting the results/data, they are hashing it?
The first thing to note is that the “hashing” algorithm appears to be something home grown, as opposed to an industry standard (md5, sha1, etc.). In fact, given that it’s a number (in the given example), one may speculate it’s a random number assigned to a unique string, or possibly a sequential number.
What can one speculate about the scope of the hash-2-string mappings if each endpoint is able to dedupe each other’s data?
If the hash-2-string mappings were easily found, does that give you any resemblances of data confidentiality?
Tools needed: including, but not limited to…
Don’t you hate it when your instructor spends multiple class periods teaching you things that are a bit manual. And then, just when you conquer the “manual way”, they show you “the easy way”. Enter logs…
Based on this page, https://docs.Tanium.com/client/client/troubleshooting.html#Windows_Registry, the log verbosity level is typically 0 or 1. By setting it to 91+, you “enable the most detailed log levels”.
According to https://docs.Tanium.com/client/client/troubleshooting.html#Logs, the logs will be named log0.txt, log1.txt, log2.txt, etc.
Tools needed: including, but not limited to…
How sure are you that normal workstations are not going to get mixed up in the same peer chain as something more sensitive, like a server?
Checkout some of these screenshots at the bottom and the subnet table…
Although a /24 seems to be a default subnet mask for peers determining peering partners, it could be even greater (or less) depending on the IP ranges and endpoint count in your environment. The best I can tell, it seems that they like to keep peer chains at about 100 peers.
Do you have things well segmented in your network to ensure sensitive/high value systems are not mixed with easily-popped workstations? Especially if you were required to increase your subnet mask because of performance reasons?
The subnet size is certainly something you can control, but it’s worth thinking about all of the ramifications of these autonomous peering architectures.
What if you could determine if the target had Tanium before you gained access and execution on an endpoint? According to https://docs.Tanium.com/platform_install/platform_install/reference_network_ports.html, TCP-17472 is the default port. This is for sure configurable, but again, who is going to do that? Additionally, not all Tanium clients will have an external facing server. But, if they have Tanium for their external endpoints, you can be fairly confident they’ll have Tanium on internal endpoints as well.
Do you want to see the names of hundreds of Tanium customers? I am releasing this recon code I created, which will scan the entire internet and display the list of Tanium’s customers that have external facing Tanium servers.
I’m not going to release the full list, but I found over 7,000 IPs running Tanium, with nearly 300 unique customers. Multiple federal/state/county government agencies, military installations, car dealerships, investment companies, an entertainment studio, colleges/universities, computer hardware and software companies, a cable news network, insurance companies, clothing stores, financial institutions, pharmaceutical companies, a steel plant, utility companies, a paint company, and even a fast food company.
This partial list I’m releasing has all government and military customers removed. It only shows the customers which have public references to their use of Tanium (press releases, job listings, linkedIn, etc) and has had the 2nd and 3rd octet of the IP masked.
|13.x.y.133||Amazon Corporate Services Pty Ltd|
|208.x.y.206||MCI Communications Services, Inc. d/b/a Verizon Business|
|70.x.y.254||MCI Communications Services, Inc. d/b/a Verizon Business|
|71.x.y.24||MCI Communications Services, Inc. d/b/a Verizon Business|
|71.x.y.151||MCI Communications Services, Inc. d/b/a Verizon Business|
|96.x.y.105||MCI Communications Services, Inc. d/b/a Verizon Business|
|162.x.y.220||Toyota Motor Sales, U.S.A., Inc.|
|144.x.y.203||Metropolitan Water District of California|
|130.x.y.96||Georgia Institute of Technology|
Although these customers chose to buy Tanium, made their server(s) publicly accessible on the default port, and put it in their own IP space/DMZ (which made attribution easy), at the end of the day, my goal is to make industry safer and more secure (even people and organizations that do ignorant things).
Let’s get back to the endpoint now. I didn’t see a way to change the default name of the Tanium executable. https://docs.Tanium.com/client/client/deploy_package_windows.html.
I assume this might be possible, but maybe not? Regardless, how many of their customers are going to change it, even if it were an option? This should make it trivial to determine if the target has Tanium running when you gain execution on a box.
There are also many default file names and registry keys that can be used during recon to determine if Tanium is present. If only we could obtain a copy of Tanium, install it, and fingerprint it…
Check out what Tanium has publicly downloadable with no NDA or EULA to click through – all of their client binaries for every OS they support.
Based on https://kb.Tanium.com/Table_replacement_for_the_pre_tag, install with…
SetupClient.exe /S /ServerAddress=[server IP] /17472 /KeyPath=c:\[path to file]\Tanium.pub
Specify the IP address of a known Tanium server or testing server. Based on https://docs.tanium.com/platform_user/platform_user/authoring_import_export.html the keyfile is 158 bytes. I played around with this a little bit to get it to install with a fake keyfile, but, based on some errors in the debug logs, I don’t think it “fully” installed. I’ll be playing with this more as time goes on.
Regardless, you now have a running TaniumClient.exe without NDA or EULA! It is very rare to get access to vendor files like this without purchasing first. I looked everywhere, but I couldn’t find any server side binaries. That would truly be a pentester’s dream come true.
The following sections include some of my anticipated reactions to these attack vectors.
Tanium is the “fastest growing startup”, already valued at 4 billion dollars, and they are in “12 of the top 15 banks”. Everyone is using them, so there’s no way it can be as bad as it seems, right? How can there be this many fundamental flaws in their architecture, yet they have so many believers and followers?
I spent hours trying to find negative information online about Tanium and P2P EDR solutions in general, but came up empty. I wish I knew what was going on. The evidence is pretty clear to me.
My conclusion is that other security researchers just haven’t focused their attention to this emerging market, specifically P2P EDR solutions, such as Tanium. Hopefully this will inspire others, much more knowledgeable than myself, to start poking around more.
As you should have seen in the challenges, there appears to be avenues to exploit some of the flaws with no admin access! Based on this article and my testing, it would appear that, by default, pretty much everything is “world readable”.
Because of this (according to their website) Tanium recommends implementing these mitigations to “protect from an attacker”: https://docs.tanium.com/client/client/client_content.html Wow! My interpretation of this is that Tanium feels security is optional.
Some may argue that properly configured permissions and strict access controls would mitigate these attack vectors in this article. The first question I have is why is this not default??? Why is this “client hardening” optional?
The next question I have is do you really think locking things down to local admin/system offers that much protection? Check out this article if you need to be convinced that it does NOT offer that much protection: https://penconsultants.com/home/restricting-to-local-admin-mitigation/.
Some may say, if you gain local admin on one endpoint, you can pop any endpoint. This is just false, in many cases. See this article for more information
Why would you need to compromise another endpoint when Tanium is installed? Statistically speaking, you’re going to have access to up to 50 other endpoints’ data wherever you land. The “aggregation” feature of Tanium has just as many benefits for an attacker!
You may ask yourself, “Won’t these attack vectors be mitigated soon making this article and the concern irrelevant?” The answer is no.
What would happen to Tanium’s data aggregation if all 100 endpoints in each peer chain started encrypting their “results” before sending it to the server? The answer: there would be a 100x theoretical increase of data hitting the server. Because of this, you would need to scale your servers (up to) 100x at a substantial cost, and/or query speed will suffer dramatically. This would require a complete architecture change.
How long does it take a typical vendor to add new basic features? Weeks, months, years? Never in some cases? How long do you think it would take a vendor to completely rearchitect and rewrite a software product this large from the ground up…assuming they even see a need to, which is highly unlikely. If you were a company valued at 4 billion dollars and racking in hundreds of millions per year, would you think anything was wrong with your model?
With that said, there is unlikely to be any fundamental architecture changes to Tanium for years to come (if ever). Any attempt to “minimize” the risks associated with the fundamental architecture flaws will simply be an arms race with the attacker.
Best case scenario, you’ll be too late. The attacker will be long gone with the goods.
Refer back to this article from above for more info: https://penconsultants.com/home/crown-jewels-monitoring-vs-mitigating/
It would not be ethical of me to only give ammunition to the offensive side, so I have to help defense answer the question, “What do we do to protect ourselves against Tanium?”
First, stop worshiping the vendor gods. They will surely lead you astray.
Next, find another EDR vendor that (1) does NOT pass any traffic through other peers and (2) has properly implemented endpoint-2-server encryption for anything passing over the wire and anything on disk. EVERYTHING else is secondary to those two requirements.
That is all. Nothing short of that is an intelligent solution to this problem, IMO. If you have another solution, ping me. I’ll include it and give you credit. Don’t be fooled to think this is the only vendor with “15 second response time”. There are many others, some are even faster. And, most of the others have proper end-2-end encryption and point-2-point communication paths.
I want to give a shout out to:
Featured images courtesy of: Tomasz_Mikolajczyk, congerdesign, and skeeze @ pixabay.com