Skip to content

Endpoint Detection Evasion

links: MAI TOC - Guest Lectures - Index


Understanding Endpoint Detection and Response (EDR):

  • Modern EDRs use static and dynamic detection mechanisms, often integrated.
  • Instrumentation methods include user mode hooks, kernel mode instrumentation, and hypervisor instrumentation.
  • On-access scans and emulation are integral parts of EDR operations, scanning files on open, read, write, and execute actions.

EDR Components and Techniques:

  • Anti-Malware Scan Interface (AMSI): Cooperative static scanning through callbacks; popular applications like MS Office, .NET, and PowerShell use AMSI.
  • User Mode Hooking: Visibility into system API calls using various methods such as inline hooks, breakpoints, and hypervisor-backed hooks.
  • Kernel Callbacks: Includes process, thread, image load notifications, and registry operation callbacks.
  • NDIS and Minifilter Drivers: Implement network functionality and filesystem on-access scanning, respectively.
  • Syscall Hooks: Methods to hook system calls, often bypassed by techniques like hypervisor-backed hooks.

EDR Evasion Techniques:

  • Passive Evasion:
    • Encoding strings and code, dynamic decoding and encryption (sleep masking).
    • Exploiting emulation logic flaws and modifying detected code.
  • Active Evasion:
    • Direct attacks on EDR components using vulnerable drivers and scan exclusions.
    • Attacks against AMSI, such as hooking or corrupting runtime state.

Advanced Evasion Techniques:

  • PowerShell AMSI Unhooking: Forcing error states to disable AMSI callbacks.
  • Signature Evasion: Breaking up injection logic, signing malware with stolen certificates, DLL sideloading, and using system calls to avoid detection.
  • System Call Instrumentation: Direct and indirect system calls, often using frameworks like SysWhispers.

Active Evasion Methods:

  • Removing or modifying instrumentation code.
  • Removing user mode hooks using tools like ScareCrow and PEzor.
  • Stack tampering with ROP techniques to simulate different call stacks.
  • Attacking ETW subsystems and silencing Sysmon by hooking EtwEventWrite.

links: MAI TOC - Guest Lectures - Index