This is the second blog in a two-part series that highlights EDR and how attackers try to bypass these controls and evade detection. In Part 1 of this series, we examined the most common methodologies for endpoint defense – anti-virus scanning, Endpoint Detection and Response (EDR), and eXtended Detection and Response (XDR). In this post, we will talk about the common methods used by threat actors to overcome these defensive operations in pursuit of their goals.
Obfuscation
The primary method of bypassing endpoint defenses is making sure your code and binaries aren’t recognized immediately as malware in the first place. Since even more traditional static analysis anti-virus tools also perform heuristic examination these days, this also means that code blocks within files and binaries must also not be recognizable, or they may be flagged as known malicious code. Threat actors accomplish this goal in many different ways, but they each will generally fall into a few specific categories.
Recompiling: By making small changes to the code that is written, then running that “new” code through a compiler (which converts files written in a programming language into executable code), a threat actor can make their files appear to be dissimilar to known malware files. Generally, this can be accomplished by either adding additional non-executing code into an existing malware file or by re-compiling the original file in another programming language.
Common examples include inserting comments (which don’t actually execute anything) or re-compiling a malware file originally written in C++ as a component file in a C# binary. The goal is to create a new file that – when run through the mathematical hashing operation – produces a totally different hash from the original file. This technique would only bypass static analysis because once the file actually begins executing it must still perform malicious actions that dynamic analysis would detect.
Encoding/Encrypting: By altering the code of a malware file itself to be unreadable except under specific circumstances, static analysis would not be able to identify what that file would do if it were opened or executed. Common examples include encrypting the code that will run until it is decrypted at the time of execution or scrambling the commands to be executed in an arbitrary order and re-arranging them during execution into valid command sets. As with recompiling, this technique is most useful in bypassing static analysis. This technique also challenges heuristic analysis as the code blocks themselves would not indicate malicious intent until they are decrypted or un-scrambled at runtime.
Malicious Action Avoidance/Living Off the Land
The best threat activity happens in plain sight, and this method of bypassing defenses takes advantage of the fact that some actions are expected to occur within a given Operating System. As an example, malware that does not attempt to gain higher privileges and sticks to using native components of the Operating System itself (often referred to as “Living Off the Land” or LOL) would be able to execute without raising the suspicions of dynamic analysis until the moment they attempt to do something overtly malicious like encrypt large amounts of data. While a good EDR would block the malware once it recognized what was going on, the malware itself may have already caused damage by the time that detection was made and action was taken.
It is important to realize that, while the most common situations where this type of attack would succeed involve exploiting weaknesses in an application or Operating System, such vulnerabilities are not always required for an LOL attack to execute. Normal operations within a Windows, Linux, or MacOS device can still be bent toward malicious goals if the threat actor were to gain authorized credentials and access. Because of this, LOL-type attacks have become a common method of avoiding detection by EDR solutions until the attacks are ready to perform overtly malicious actions, and sometimes provide evasion entirely.
Bypassing EDR Detection Methodologies
Finally, EDR solutions themselves are only as effective as their ability to visualize what a file or binary is attempting to do. If the EDR could be “blinded” in one or more ways, then a malware file could execute without interference from the defensive solutions. It should be noted that modern EDR solutions go to great lengths to avoid this type of evasion, and most utilize multiple methods of visualizing executions specifically to reduce the potential for evasion to succeed. Bypassing can be performed by a wide variety of techniques, but much as was seen with obfuscation earlier, they will generally fall into one of two categories.
Unhooked Processes: When operating in user space – the area of Operating Systems where applications are typically run and where user interaction takes place – any process not explicitly excluded from examination by an EDR will be “hooked.” Hooking is the term used to describe how an EDR will visualize executions that occur by monitoring the processes that run those executions. For example, in Windows, when an application runs it will do so as an instance of the ntdll process. By hooking each instance of ntdll that is spawned, the EDR can monitor all executions that occur to determine if they indicate malicious intent. The actual process is significantly more complex, but this is how the EDR can monitor all user-level executions at a high level.
If a threat actor can cause an instance of ntdll to be spawned that is not hooked by the EDR – or if they can remove the hooks after the instance is spawned – then actions taken by that malware would be rendered invisible to the EDR itself. There are many different methods used to either spawn unhooked processes or to unhook processes already in existence, including the BlindSide technique discovered by the Cymulate Threat Research Group.
Kernel-Level Operation: In addition to the user-level operations that most of us are familiar with from using Windows, MacOS, and Linux, there is another layer of operation that is by design invisible to the user. This higher level of operation is referred to as kernel-level and is reserved for the use of key components of an operating system and a limited number of extremely high-priority operations.
Because kernel-level operations can load before the EDR platform itself starts up, Operating System vendors go to extraordinary lengths to ensure that only highly trusted operations can ever exist in the kernel level, mostly related to the functions of the Operating System itself. Through the use of vulnerabilities or by compromising the boot process of a machine, it is possible to launch malware that operates at the kernel level, rendering it invisible to most EDR tools. Examples of this type of malware would include attacks that alter the Basic Input/Output System (BIOS) of a computer or that inject their code into core operating system processes but do not run that code until the system reboots, so that they can run at kernel-level.
While devastating, such attacks are extraordinarily difficult to actually pull off. The kernel itself is well protected, with the Operating System either notifying on any change to kernel-level code or just outright rejecting any attempt to inject code. Because of these native protections, kernel-level attacks typically require physical access to a device with credentials providing administrative access at the highest levels.
Summary
Bypassing EDR protections is not an easy process. Typically, multiple methodologies would need to be brought to bear to ensure that the malware files are successfully written to disk and executed, as a single mistake in either area would lead to discovery and quarantine/destruction of the malware itself. However, with the right techniques and the right access, threat actors can bypass the defenses of even the most advanced EDR platforms. Layered security at multiple levels of operations (email, networking, firewalls/proxies, endpoint, etc.) are necessary to overcome the ability of threat actors to bypass endpoint defenses and are still a required part of cybersecurity resilience.
To learn how you can validate the effectiveness of your controls, request a demo of the Cymulate platform.
