The Illusion of Bypassing EDRs: A Closer Look

The Illusion of Bypassing EDRs: A Closer Look

Enrique A. Enrique A.

Enrique A.

CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.

发布日期: 2024年6月17日
+ 关注

In recent times, there have been numerous posts and proof-of-concept (PoC) demonstrations that claim to have bypassed various Endpoint Detection and Response (EDR) solutions. However, these so-called "bypasses" often only achieve a call back to the Command and Control (C2) server and fail to deliver on the promise of a full EDR bypass. The true test of bypassing an EDR is maintaining stealth and undetected activity post-initial access, particularly during more invasive actions such as accessing LSASS for credential dumping. This write-up aims to debunk the myth of these partial bypasses and emphasize the reality of EDR capabilities.

The Setup: Demonstrating the Reality

To demonstrate the limitations of these supposed EDR bypasses, I will perform the following steps:

  1. Create a .bin file with Havoc: Havoc is a modern, open-source red team command and control framework.
  2. Utilize ScareCrow to create a .cpl file: ScareCrow is a tool designed to generate EDR and AV evasion payloads.
  3. Move the .cpl file to a machine protected by CrowdStrike: CrowdStrike is a leading EDR solution.
  4. Execute the .cpl file to establish a call back to Havoc C2: This step will showcase the initial access success.
  5. Attempt to dump hashes using nanodump: Nanodump is a tool for dumping LSASS process memory.
  6. Observe and report the detections and alerts triggered by CrowdStrike: This will highlight the detection capabilities of a robust EDR during post-exploitation activities.


Creating the Shellcode:

Shellcode is now created and saved as demon.bin


Creating the CPL (control panel item)

Using ScareCrow with the following command to generate the .cpl file:

./ScareCrow -I /home/kali/Toys/Havoc/Malicious/demon.x64.bin -domain


Downloading the .cpl file to the victim

Notice that there was no effort to obfuscate the downloading of the file


Executed the file and get the call back:

And here is where some POCs end.. because the EDR is already "Bypassed" ... but let's see what happens when we run nanodump_ppl to get the hashes.

领英推荐

Running Nanodump

nanodump_ppl_dump --write C:\temp\nd.txt

At this point, the demon stopped responding... sending commands is not returning anything. So basically the connection was terminated.

... Crowdstrike showing that the process was killed.


Testing against Defender gives exactly the same result:


The connection to the C2 is terminated. So was the EDR really bypassed?


Conclusion

This demonstration underscores a critical point: while initial access and call backs to a C2 server might seem like an EDR bypass, the true capabilities of EDRs are revealed during post-exploitation activities. Tools and techniques that boast EDR bypasses must be scrutinized for their ability to remain undetected during more invasive and higher-risk operations.

EDRs are designed to detect and respond to a broad spectrum of malicious activities, not just the initial foothold. Credential dumping, lateral movement, and data exfiltration are some of the key actions that robust EDRs are adept at detecting and blocking. The real measure of an EDR bypass is its ability to maintain stealth through all phases of the attack lifecycle, not just the initial access.

As security professionals, it is vital to recognize these distinctions and not be misled by partial bypass demonstrations.

要查看或添加评论,请登录

Enrique A.的更多文章

社区洞察

其他会员也浏览了