Three Techniques for Bypassing EDR
Endpoint Detection and Response systems (ERD) are a collection of tools for live monitoring of endpoints that have data analysis capabilities, threat detection & blocking, and threat hunting capabilities. Due to the increase in security incidents, many Computer Emergency Response Teams (CERTs) have implemented ERD Systems with their SIEMs as a part of their tool kits. ERD systems can make penetration tests and red team exercises difficult for using standard offensive security tools. However, as with all internet technologies, these tools have weaknesses which allow attackers to bypass these protections. In the following blog post, we will be discussing three common methods and techniques for bypassing these systems and conducting successful red team exercises including: AMSI bypass, Unhooking, and Reflective DLL loading.
AMSI bypass
An Anti-Malware Scan Interface (AMSI) is a Microsoft Framework that allows third-party anti-malware solutions to have visibility into Microsoft components and applications such as Powershell and various script engines. ERD solutions use the AMSI framework to scan files, memory, and streams for malicious payloads. Bypassing AMSI involves finding specific triggers implemented by the EDR system that raise a flag in the networks SIEM. Because the scans ran by AMSI are signature based, the malicious software must be altered by changing select function names, string encoding & decoding at runtime, or by obfuscating code. A series of techniques and tricks to bypass AMSI has been well documented on S3cur3Th1sSh1t’s github repo and is worth a look with over 17 techniques described.
Unhooking
Before we explain unhooking we must understand hooking. Most EDR solutions rely on application programing interfaces (APIs) to call and execute instructions on the system level. Generally, EDR solutions use the ntdll.dll gateway via “hooking” to watch for suspicious memory calls. Unhooking refers to a list of techniques hackers use to load a fresh and unhooked version of ntdll.dll after a Windows system has already loaded the EDR-hooked version during launch process. At this point the API used to monitor memory is rendered useless and hackers can fly under the radar. Tools such as Minesweeper can be used to accomplish this via CLI.
Reflective DLL Loading
This technique is a remote code injection tool which involves attackers loading a DLL from memory into an existing process instead of from a script. EDRs generally monitor DLL at the disk level so this is another way to function under an EDRs radar. Reflective DLL Loading (also known as Reflective Code Injection), is similar to Process injection except that it loads code into the process’ own memory instead of into a separate process. Many C scripts exist to facilitate this, and can easily attach DLL libraries to given tasks.
