This article has been indexed from Windows Incident Response
During my time in the industry, I’ve been blessed to have opportunities to engage with a number of different EDR tools/frameworks at different levels. Mike Tanji offered me a look at Carbon Black before carbonblack.com existed, while it still used an on-prem database. I spent a very good deal of time working directly with Secureworks Red Cloak, and I’ve seen CrowdStrike Falcon and Digital Guardian’s framework up close. I’ve seen the birth and growth of Sysmon, as well as MS’s “internal” Process Tracking (which requires an additional Registry modification to record full command lines). I’ve also seen Nuix Adaptive Security up close (including seeing it used specifically for threat hunting), which rounds out my exposure. So, I haven’t seen all tools by any stretch of the imagination, but more than one or two.
Vadim Khrykov shared a fascinating tweet thread regarding “EDR bypasses”. In the thread, Vadim lists three types of bypasses:
1. Technical capabilities bypass – focusing on telemetry EDR doesn’t collect
2. EDR configuration bypass – EDR config being “aggressive” and impacting system performance
3. EDR detection logic bypass – EDR collects the telemetry but there is no specific detection to alert on the technique used
Vadim’s thread got me to thinking about bypasses I’ve seen or experienced over the years….
1. Go GUI
Most EDR tools are really good about collecting information about new processes that are created, which makes them very valuable when the threat actor has only command line access to the system, or opts to use the command line. However, a significant blind spot for EDR tools is when GUI tools are used, because in order to access the needed functionality, the threat actor makes selections and pushes buttons, which are not registered by the EDR tools. This is a blind spot, in particular, for EDR tools that cannot ‘see’ API calls.
As such, this does not just apply to GUI tools; EXE and DLL files can either run external commands (which are picked up by EDR tools), or access the same functionality via API calls (which are not picked up by EDR tools).
This has the overall effect of targeting analysts who may not be looking to artifact constellations. That is to say that analysts should be validating tool impacts; if an action occurred, what are the impacts of that action on the eco-system (
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: EDR Bypasses