When EDRs Miss the Mark.
Enrique A.
CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.
Endpoint Detection and Response (EDR) solutions play a crucial role in modern cybersecurity by providing continuous monitoring and response to advanced threats. These tools are designed to detect, investigate, and mitigate malicious activities on endpoints. However, despite their effectiveness, EDR systems are not infallible. Various scenarios can lead to missed detections, allowing malware to evade defenses. This article explores real-world examples where EDRs fail to identify malicious activities due to factors such as authenticated access, whitelisting issues and misconfigurations. Understanding these gaps is essential for enhancing overall security posture.
Authenticated Access
Explanation: One common method attackers use to evade EDR solutions is by leveraging stolen authentic credentials. When an attacker gains access to legitimate credentials, they can move within the network as a trusted user, performing actions that might not raise any alarms.
Consider a scenario where an attacker uses phishing or another method to acquire valid login credentials. With these credentials, the attacker can log in and execute malicious activities, such as deploying malware, without triggering EDR alerts. The EDR sees these actions as legitimate user activity, not distinguishing between the real user and the attacker.
In such cases, EDR systems struggle to differentiate between normal and malicious behavior when the activity originates from a legitimate account. This highlights the importance of complementing EDR solutions with other security measures like multi-factor authentication (MFA), user behavior analytics, and regular review of login activities to detect anomalies that could indicate compromised credentials.
Whitelisting and Blacklisting issues
Whitelisting
Attackers can exploit whitelisted administrative tools to perform malicious activities. For instance, ntdsutil, is a command-line utility provided by Microsoft that allows for the management of Active Directory databases. It's included with Windows Server operating systems.
Mitigating this requires strict monitoring and control over administrative tool usage, along with behavioral analysis to detect unusual patterns in tool execution. Regular audits and updates to whitelists can also help prevent such exploitation.
Example:
Extracting NTDS.dit and SYSTEM with NTDSUTIL
Now a bad actor would be able to dump the hashes for all users in that domain.
Blacklisting
Let's say that your EDR has several hashes for blacklisting a malicious executable (Like a list of IOC hashes for example)
领英推荐
All the bad actor needs to do is obfuscate the program a little bit or use another technique to run the PE And the EDR will not detect the file as malicious. Also a bad actor could load an obfuscated AMSI bypass script and then load a script in memory .. evading the EDR:
example:
S1 will be able to detect PowerView (PowerView is a PowerShell tool used for network and Active Directory enumeration) when loading it directly on the disk:
But what happens when you run an AMSI bypass and then load PowerView from memory?:
Inclusions and Exclusions (EDR Misconfigurations)
EDR systems rely on a set of inclusion and exclusion rules to determine what should be monitored and what can be ignored. Misconfigurations in these rules can create blind spots, allowing malware to evade detection. For example, if certain directories or processes are excluded from scanning, malware can exploit these gaps to operate undetected.
To mitigate these risks, it is crucial to regularly review and update EDR configurations. Ensuring comprehensive coverage and avoiding overly broad exclusions can help minimize the chances of malware evasion due to misconfigurations.
Example:
Conclusions
While Endpoint Detection and Response (EDR) solutions are essential for identifying and mitigating threats, they are not infallible. Attackers can exploit vulnerabilities, such as authenticated access, whitelisting and blacklisting issues, and misconfigured settings, to evade detection. Moreover, sophisticated evasion techniques exist, highlighting the need for a layered security approach.
To augment security beyond EDR, organizations can leverage additional tools like Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms, which provide extended visibility and automated responses. Furthermore, implementing advanced security measures, such as PowerShell script block logging and Sysmon for enhanced system monitoring, can significantly improve detection capabilities. Regular security audits, configuration updates, and comprehensive network monitoring are crucial for maintaining a strong security posture and protecting organizational assets from threats.