As a follow-on to my earlier blog post, I’ve seen a few more posts and comments regarding EDR ‘bypass’ and blinding/avoiding EDR tools, and to be honest, my earlier post stands. However, I wanted to add some additional thoughts…for example, when considering EDR, consider the technology, product, and service in light of not just the threat landscape, but also the other telemetry you have available.
This uberAgent article was very interesting, in particular the following statement:
“DLL sideloading attack is the most successful attack as most EDRs fail to detect, let alone block it.”
The simple fact is, EDR wasn’t designed to detect DLL side loading, so this is tantamount to saying, “hey, I just purchased this brand new car, and it doesn’t fly, nor does it drive underwater…”.
Joe Stocker mentions on Twitter that the Windows Defender executable file, MpCmdRun.exe, can be used for malicious DLL side loading. He’s absolutely right. I’ve seen EXEs from other AV tools…Kaspersky, McAfee, Symantec…used for DLL side loading during targeted threat actor attacks. This is nothing new…this tactic has been used going back over a decade or more.
When it comes to process telemetry, most EDR starts by collecting information about the process creation, and many will get information about the DLLs or “modules” that are loaded. Many will also collect telemetry about network connections and Registry keys/values accessed during the lifetime of the process, but that’s going a bit far afield and off topic for us.
There are a number of ways to detect issues with the executable file image being launched. For example, we can take a hash of the EXE on disk and compare it to known good and known bad lists. We can check to see if the file is signed. We can check to see if the EXE contains file version information, and if so, compare the image file name to the embedded original file name.
Further, many EDR frameworks allow us to check the prevalence of executables within the environment; how often has this EXE been seen in the environment? Is this the first time the EXE has been seen?
However, something we cannot do, because it’s too ‘expensive’, is to maint
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: