How Attackers Bypass EDR and How to Defend Against Them

Paritosh
4 min readOct 6, 2024

Attackers continuously innovate to bypass security solutions, including Endpoint Detection and Response (EDR) systems. While EDR solutions have become more sophisticated in detecting and responding to threats, attackers have developed techniques to evade detection. Understanding these techniques is critical for both attackers and defenders, as it helps to fortify defences and anticipate adversarial strategies.

Common EDR Bypass Techniques:

1. Living Off the Land Binaries (LOLBins)

Attackers often use legitimate system tools that are trusted by the operating system to execute malicious actions. These tools, also known as LOLBins (e.g., `PowerShell`, `WMIC`, `CertUtil`), can be abused to avoid detection by EDR solutions. Since these tools are typically whitelisted by security solutions, attackers can hide their activity under the guise of regular system processes.

Defence Strategy: Monitoring behavioural anomalies of legitimate tools. EDR solutions need to apply behavioural analytics to detect when trusted binaries are being misused.

2. Code Injection

Attackers inject malicious code into trusted processes (e.g., `explorer.exe` or `svchost.exe`) to mask their activities. This makes it challenging for EDR to differentiate between normal system activity and malicious actions.

--

--

Paritosh
Paritosh

Written by Paritosh

CISSP | Sharing what I am learning to get it in a single place. | Linkedin -> https://www.linkedin.com/in/paritosh-bhatt/

No responses yet