Open in app

Sign in

Write

Sign in

Lessons learned from EDR Bypass threat hunting

An important leassong that i learned after make an EDR bypass hunt

Cristóbal Martínez
4 min readMar 24, 2024

A few months ago, I had to undertake a hunt about EDR bypass. This post includes some of the valuable lessons I learned as a Threat Hunter, when I could finally delve into this type of attacks, beyond the inherent fear that any defensive security technician usually has when such a task is mentioned.

Before getting into the subject, it is necessary to know some important details, given that this hunt is not the typical hunt where one can follow the standard process for example, from The Hunter’s Framework (THF for friends). We are talking about EDR bypass...

So, i was playing with one eye closed and hopping on one foot. Another day at the office for the average hunter.

Understanding EDR Bypass

With this panorama, I began to study the existing techniques of EDR bypass, which led me to ask the first important question. What was I going to consider as an EDR bypass? The question is important because the shadow of tampering is there. This is my own definition:

Any type of attack that allows to invisibilize a threat or TTP in progress to the eyes of the EDR, without blocking, closing or tying it up. Thus preventing, the tool itself or its operator from being aware of the lack of visibility of it, and the uselessness of the applied detection rules or acquired telemetry.

Once the goal was clear, I continued with my study. After compiling more than 60 references talking about possible EDR bypass techniques, I began to read them trying to distinguish <<possible attacks>>, their implications, how to detect them, and even, how to explain them to much more novice audiences, and even C-Level.

Once the task was finished, I managed to identify 16 attacks that could clearly fit into my definition. Some others that I had doubts about, I reserved for when I had to explain that the next chapter of the end of the world is called EDR Tampering.

Leassons learned from EDR Bypass

Here are my thoughts and lessons learned about EDR Bypass:

  1. EDR Bypass is not a technique. They are multiple techniques, many of them hard to fit into ATT&CK, which greatly limits the defender’s ability to detect them. Especially in SOC and less mature hunting teams.
  2. Organizations have excessive confidence in their security tools. This is something that any competent ethical hacker and many hunters know, but it was especially harmful when I could see how “easy” it could be to go under the EDR radar for years or decades.
  3. The EDR has excellent capabilities to detect attacks against others, but the bypasses are not its strength. The situation is different if we talk about tampering.
  4. Even in the imaginary cases where we had the best EDRs on the market, our situation would still be very worrying. Most of the attacks I identified were memory attacks, where AMSI and ETW had little to say, and we had to rely on traditional AV techniques such as injection into processes, and agent rules, which are nothing more than predefined patterns, and that do not even come close to covering the wide attack surface that the concept of memory attack implies.
  5. Windows, as always, collaborates with attackers by hindering defensive capacity with anti-kernel access protections that only bother defenders (yes, patch-guard is “hackable”). And don’t forget actions like callback evasion, and some other niceties, like my favorite “it’s not a bug, it’s a feature”.
  6. There isn’t much more to bite. The basic defensive pillar on enterprises is the EDR, and this is “easily” hackable. In mature environments, there can be useful tools like IDS or NDR, but they are not usually usable by hunting teams, and many SOC teams cannot do much with corporate IPS with McAfee or Trend Micro rules.
    YARA is a great option, as is Memory Ranger, but tell a bank to put that on their critical servers in case Lazarus shows up with his FudModule…
  7. EDR Bypass is not just an attack. It’s a style of hack-in. Once the EDR is blind, and assuming that ETW will go with it, that team is blind, sold, there is no after until some non-reporting, or miraculously an IPS alert in the perimeter FW puts us on notice.

The hope of EDR Bypass Detection

So far we could define my eminently pessimistic conclusions after what was seen. However, there has to be some hope, these are the recommendations I can offer for hope:

  1. EDR bypass is not. It is arrived at EDR bypass. The nuance is important because it means that until the defense evasion phase, we have room for maneuver.
  2. Watch your drivers. Something that has become clear to me after analyzing bypass and some tampering techniques, is that drivers are the shortest, and laziest way. That is, the default path for any computer scientist.
  3. EDR bypass is as visible as a black hole. You can’t see it because it’s dark on a dark background, so you should always look for the light around it.
  4. EDR bypass is not a simple technique if we want to do it well. Of course, we can automate parts with syswhispers, but that precisely makes them identifiable. A good hacker will use VEH, or will try to attack from a VM without AV. That is, it will use the technique and/or ingenuity in its favor. This is the point to distinguish and prioritize what is possible, from what is not.
  5. Whoever has YARA has a treasure. Even if it is not in memory, the ability to analyze files with static signatures, or to offer entropy values are differential values. Hopefully, EDRs will start to make public the entropy and similarity values that some like defender and CrowdStrike already calculate, to support data mining in cyber defense.

Attacks analyzed

Finally, if you’ve made it this far, I leave you the a list of possible EDR bypass attacks, in case you’re interested in doing your own analysis of them:

  • NTDLL Unhook
  • Direct & indirect Syscalls
  • Callback evasion
  • Microsoft DLL Mitigation Policy
  • Entrypoint block
  • Vectored Exception Handling
  • Process Forking
  • Drivers on kernel land
  • Process Reimaging
  • Binary packing and obfuscation
  • API Hashing
  • Mini-filter attacks
  • Attacks coming from VM

Happy hunting!

Threat Hunting
Edr Bypass
Cyber Threat Detection
Threat Detection
Edr

--

--

Cristóbal Martínez

Written by Cristóbal Martínez

22 Followers

Creator of The Hunter's Framework, the best framework for Threat Hunting. Cyber Threat Hunter and cybersecurity technian and consultant.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams