High level summary

EDR solutions do an impressive amount of work across a gigantic complex attack surface (Windows/Linux/Mac Operating systems). If deployed at their maximum efficacy they will deter the most stoic adversary.

In this very high level study of EDR's we look at how Attackers have adapted to and overcome EDR's defences over time within the Windows realm and how EDR vendors have retaliated. The game of Chess continues, but for how long?

'The Sicilian Defence':

My (not totally accurate) diagram above shows the 'EDR brains' analogy

EDR technology deploys 2 brains- (Credit to 'The man with two Brains')

Brain 1 is file on disk analysis (think of classic AV but with robust heuristics)

Brain 2 is process, memory and thread analysis (in-memory real time scanning)

Windows world

EDR Brain 1 predominantly uses AMSI (anti malware scanning interface) which most EDR's (obviously MS Defender!) now consume into their own products. Some EDR vendors also bring their own AMSI and don't use the Windows native version.

EDR Brain 2 uses a combination of:

A= Userland hooks; Think of EDR being man in the middle, jumping into an executable process as it loads itself into memory

B= Kernel Event Tracing for Windows Threat Intel (ETW-TI); Think of the Windows engine management system sending messages about everything it performs to an Event stream, which is then consumed by EDR (where ETW mini filters send only security context events to reduce noise etc)

Great! so 2 brains, we've got it covered now right? Game over!

Over the last 5-7 or so years, EDR Brain 1 has gotten smarter, it can handle scripting language analysis such as Powershell, VB and more recently .NET (up to version 4.8 CLR) extremely effectively but can be evaded using encryption, encoding of file data to obfuscate code from AMSI (Brain 1) as well as a clear pass if the file is Microsoft (or trusted vendor) digitally signed (forgeable). But, the most common method now is to bypass AMSI all together using either a software or hardware Break Point where the malware 'patches' the AMSI.dll to say 'I'm clean, clear off'. AMSI bypass's are in the public domain and easy to deploy.

I purposely omit the cloud sandbox element of EDR (in the diagram). This is where executables can be sent for further analysis offline. There are evasion techniques here too but there is plenty of information out there on sandbox analysis as it's been around a long time.

ok, but memory protection is our big kill switch now, right?

More malware now directly injects into memory (many techniques, wont go there now) and EDR's got control of this using API hooking (see Brain 2 above). Attackers found ways to bypass hooking completely, using in/direct system calls OR 'patching' the EDR hooks out of their own Malware executable. Hooking bypass & unhooking is rife in the public domain.

There is a caveat to in/direct system calls which also requires 'call stack spoofing' to look like the sys call came from a backed dll on disk (a requirement for EDR call stack walking) which we wont go into here but most C2 frameworks can do on the fly.

ETW-TI saves the bacon, you can't patch the Kernel! Check Mate!

Many EDR vendors switched strategies to move away from hooking in userland to Kernel monitoring via ETW-TI (MS Defender is no Hooker! ??). The Windows Kernel is sacred and Microsoft stopped Kernel patching by vendors years ago. However, The excellent research provided by binarly.io at Blackhat proved otherwise and ETW-TI (at the time of research) has around 36 evasive techniques to get around it. ETW-TI patching is now rife in the public domain.

Summary

1. EDR evasion is getting harder, but the Offense game is upping the ante in 2023/4
2. EDR’s are pivoting back to Kernel monitoring (via ETW-TI) as userland is losing ground to API Unhooking/Bypass Malware
3. Beware vulnerable driver exploitation! (kernel land evasion)
4. These techniques are not novel, but some are getting more attention from Malware R&D and profiting
5. Detectable with more focus on advanced hunting than total reliance on EDR to take decisions
6. Being armed with the right data is critical for Threat hunters to piece the jigsaw. Turn up the telemetry volume! (the needles not the haystack)
7. Reflective DLL loading is defeating almost all EDR’s out there today (PE Reflection: The King is Dead, Long Live the King | Brute Ratel C4) with combinations of direct/indirect syscalls + stack spoofing + PE memory evasion techniques (sleep-masking, IAT obfuscation, API hashing etc)

What does this mean for EDR/XDR consumers?

Be pragmatic. It’s cat & mouse as always (or Chess!) don’t rely on technology alone. Focus on what matters, not building an impenetrable fortress. There are always trade offs, no silver bullet.

What mitigation strategies can we deploy?

A Threat informed Defense via Purple teaming is transforming SOC efficacy/ROI

What else?

• Fastidiously exercise your incident response & recovery & backup playbooks (Always assume breach)
• Deploy Breach Attack Simulation solutions (BAS) to mature SOC Detect & Response to identify known knowns and emerging knowns (controls hardening, sweat those investments!)
• Use Evasive Red Team engagements to find the unknown unknowns (reality check)
• Focus on Agile remediation (what?). Deploying Yara rules to Crowdstrike or Sigma rules to SIEM 3 months after an exploit is found is not going to cut it in today's world. Attackers are agile, so we need to be. BAS auto remediation is coming but be ready for it, embed agile remediation process's into detection engineering once you have established a Purple team and BAS program.

The Hacking industry has become very fertile ground for up and coming malware developers who are finding sophisticated ways to bypass one of the most critical Enterprise security controls (EDR). There is good money in it, it brings kudos and the lines are blurring between ethical and adversary developed malware tools (ethical tools cracked and re-purposed by bad guys).

Being more Threat informed is the best defence!