Professional Documents
Culture Documents
2
Nice to meet you :)
3
We run a small EDR test lab
4
Agenda
Effective techniques to
circumvent them
5
EDRs conduct three types of analyses to detect endpoint detection and abuse
Antivirus tools are based on static and dynamic analysis + EDRs add behavioral analysis – our focus today
6
A. Static Analysis – your good ol’ antivirus engine
[1]
Checking for exact values can also be augmented by heuristics that are applied on the collected data 7
B. Dynamic Analysis – controlled detonation in a sandbox
Dynamic analysis evasion tries to detect the sandbox and
stop the malware before being detected
Check
Dynamic analysis observes malware in sandbox Sandbox environments usually run with a
number of
limited number of processors
processors
User downloads file
Check
Malware Sandbox environments usually do not have
clickme.exe memory
much RAM memory available
size
Execute file in Compare against Do nothing if legit Check Check if the malware name changed when
virtual machine database of known filename bring copied into the sandbox
(“sandbox”) and malicious values[1] Delete file if
observe behavior malicious Call non- Some WinAPIs are not emulated by most
EDR or virtualized sandboxes. For example, the return value
Network Connections
Antivirus APIs of VirtualAllocExNuma() will be NULL
as Logo Horizontal Registry Changes Database with
Pos / Neg Indicators of For targeted attacks, the malware can
Memory access Check user/
Compromise check whether the targeted user account
File Creation domain
(IOCs) or domain name exists in the sandbox
[1]
Checking for exact values can also be augmented by heuristics that are applied on the collected data 8
C. Behavioral Analysis – playing with fire
Behavioral analysis closely monitors malware while it is executing on the actual computer
Malware starts, checks for Decrypts payload and writes Launches payload as a new
Malware allocates memory
sandbox, exits if found to memory thread
access OS
features ntdll.dll NtAllocateVirtualMemory NtWriteVirtualMemory NtCreateThread
[1]
Different EDRs might apply different hooking methods and also choose other DLLs or functions to hook 9
Agenda
Effective techniques to
circumvent them
10
Evasion techniques can render EDRs ineffective – We discuss three options i Details on next slides
We are finding out EDR effectiveness by testing different versions of our encrypted malware loader
1. Apply base evasion to all samples 2. Experiment with different Behavioral Analysis Evasion techniques
Evade Static Evade Dynamic No evasion attempt Malware does not try to evade behavioral
Analysis Analysis / Sandbox (just WinAPI calls) analysis and directly calls Windows APIs
11
Evasion technique 11 – Unhook EDR by overwriting ntdll.dll with a clean version
Malware Normal
kernel32 VirtualAlloc
ntdll.dll
with NtAllocateVirtualMemory
hooks
as Logo Horizontal
EDR
Pos / Neg EDR
catches
syscall
Kernel
NtAllocateVirtualMemory
12
Evasion technique 1.1 – Unhook EDR by overwriting ntdll.dll with a clean version
Malware Normal “Unhooking” the EDR
§ EDR hooks into NTDLL to analyze § Obtain original ntdll.dll without EDR
and correlate the data hooks (e.g. read from disk)
§ Common API calls go through NTDLL § Overwrite ntdll.dll in own process
memory with original one
Different methods exists to
kernel32 VirtualAlloc kernel32 VirtualAlloc obtain a “clean” ntdll.dll
1 Read ntdll.dll from disk
as Logo Horizontal
EDR
Pos / Neg EDR EDR
catches sees nothing
syscall
Kernel
NtAllocateVirtualMemory NtAllocateVirtualMemory
13
Evasion technique 1.1 – Unhook EDR by overwriting ntdll.dll with a clean version
Malware Normal “Unhooking” the EDR
§ EDR hooks into NTDLL to analyze § Obtain original ntdll.dll without EDR
and correlate the data hooks (e.g. read from disc)
§ Common API calls go through NTDLL § Overwrite ntdll.dll in own process
memory with original one
Different methods exists to
kernel32 VirtualAlloc kernel32 VirtualAlloc obtain a “clean” ntdll.dll
Kernel
NtAllocateVirtualMemory NtAllocateVirtualMemory
14
Evasion technique 22 – Avoid EDR hooks by directly calling kernel system calls
Malware Normal Direct
Direct Syscalls
syscalls SSN (System Service Number)
§ Implement own syscall in assembly § It identifies which syscall
§ EDR hooks into NTDLL to analyze
and correlate the data § Call syscall directly executes
§ Common API calls go through NTDLL and bypass NTDLL hooks § The syscall number varies
between Windows
versions
§ It can be obtained
dynamically –
conveniently automated
VirtualAlloc Import by SysWhispers2
kernel32 NtAllocateVirtualMemory
assembly
§ Can trigger static analysis
ntdll.dll NtAllocateVirtualMemory ntdll.dll NtAllocateVirtualMemory since the syscall assembly
instruction might be
flagged
as Logo Horizontal
Pos / Neg
Kernel
NtAllocateVirtualMemory NtAllocateVirtualMemory
15
Evasion technique 22 – Avoid EDR hooks by directly calling kernel system calls
Malware Normal Direct
Direct Syscalls
syscalls SSN (System Service Number)
§ Implement own syscall in assembly § It identifies which syscall
§ EDR hooks into NTDLL to analyze
and correlate the data § Call syscall directly executes
§ Common API calls go through NTDLL and bypass NTDLL hooks § The syscall number varies
between Windows
versions
§ It can be obtained
dynamically
Might not work:
§VirtualAlloc Import
Having syscall assembly instructions compiled into an executable
kernel32 NtAllocateVirtualMemory § Can trigger static analysis
assembly
is unusual and can be flagged as suspicious / malicious since the syscall assembly
§ Heads up: Only the loader instruction might be
ntdll.dll NtAllocateVirtualMemory ntdll.dllevades the EDR. You need to be
NtAllocateVirtualMemory
careful since the C2 malware might still use the hooked functions flagged
as Logo Horizontal
Pos / Neg
Kernel
NtAllocateVirtualMemory NtAllocateVirtualMemory
16
Evasion technique 33 – Further increase stealth through indirect system calling
Malware Normal Direct
Direct Syscalls
syscalls Indirect syscalls
Syscalls
§ EDR hooks into NTDLL to analyze § Implement own syscall in assembly § Prepare syscall in assembly
and correlate the data § Call syscall directly (as with direct syscalls)
§ Common API calls go through NTDLL and bypass NTDLL hooks
as Logo Horizontal
Pos / Neg
Kernel
NtAllocateVirtualMemory NtAllocateVirtualMemory NtAllocateVirtualMemory
17
One more thing: You can boost any of the evasion techniques by hiding inside a .dll
.exe .dll
§ Is designed to run § The Windows
independently implementation of “shared
§ Has its own memory space libraries”
§ Allows EDR to tightly § Need a host process loading
observe execution of them and shares memory
suspicious files, for example space with the host process
Internet downloads § Harder to follow suspicious
downloads
as Logo Horizontal
Pos / Neg
18
The 3 simple injection techniques work surprisingly well against common EDR systems Detected
Undetected
Step 1: System Infection. We tested three different evasion techniques (and two base cases) against three leading EDR
solutions, and one antivirus solution. All experiments were run in August 2022.
Cobalt Strike and
Sliver are popular C&C
EDR1 EDR2 EDR3 AV tools to control
Cobalt Sliver Cobalt Sliver Cobalt Sliver Cobalt Sliver infected computers
No behavioral analysis or .exe
Base case. A malware
sandbox evasion .dll that does not try to
.exe evade behavioral
Only sandbox evasion analysis
.dll
.exe
11 Unhooking EDR evasion
.dll techniques.
.exe Three approaches to
22 Direct syscalls circumvent EDR
.dll
as Logo Horizontal behavioral analysis (as
Pos / Neg .exe explained on previous
33 Indirect syscalls slides)
.dll
Take aways.
§ EDRs are more likely to trigger based on well-known abuse tools like Cobalt Strike, suggesting some level of fingerprinting
§ Malware hiding in .dll’s is less likely to get detected by EDRs
§ EDRs differ in their effectiveness, however some evasion techniques successfully circumvent most (all?) of them
§ Our experiments so far only use well-known techniques. Better evasion is possible should it become necessary
19
The 3 simple injection techniques work surprisingly well against common EDR systems Detected
Undetected
Step 1: System Infection. We tested three different evasion techniques (and two base cases) against three leading EDR
solutions, and one antivirus solution. All experiments were run in August 2022.
Cobalt Strike and
Sliver are popular C&C
EDR1 EDR2 EDR3 AV tools to control
Cobalt Sliver Cobalt Sliver Cobalt Sliver Cobalt Sliver infected computers
No behavioral analysis or .exe
Base case. A malware
sandbox evasion .dll that does not try to
.exe Hiding inside a evade behavioral
Only sandbox evasion analysis
.dll .dll really helps
.exe
11 Unhooking EDR evasion
.dll techniques.
.exe Three approaches to
22 Direct syscalls circumvent EDR
.dll
as Logo Horizontal behavioral analysis (as
Pos / Neg .exe explained on previous
33 Indirect syscalls slides)
.dll
Take aways.
§ EDRs are more likely to trigger based on well-known abuse tools like Cobalt Strike, suggesting some level of fingerprinting
§ Malware hiding in .dll’s is less likely to get detected by EDRs
§ EDRs differ in their effectiveness, however some evasion techniques successfully circumvent most (all?) of them
§ Our experiments so far only use well-known techniques. Better evasion is possible should it become necessary
20
The 3 simple injection techniques work surprisingly well against common EDR systems Detected
Undetected
Step 1: System Infection. We tested three different evasion techniques (and two base cases) against three leading EDR
solutions, and one antivirus solution. All experiments were run in August 2022.
Cobalt Strike and
Sliver are popular C&C
EDR1 EDR2 EDR3 AV tools to control
Cobalt Sliver Cobalt Sliver Cobalt Sliver Cobalt Sliver infected computers
No behavioral analysis or .exe
Base case. A malware
sandbox evasion .dll
Detection seems partly based that does not try to
evade behavioral
.exe
Only sandbox evasion
.dll
on known Cobalt Strike analysis
Take aways.
§ EDRs are more likely to trigger based on well-known abuse tools like Cobalt Strike, suggesting some level of fingerprinting
§ Malware hiding in .dll’s is less likely to get detected by EDRs
§ EDRs differ in their effectiveness, however some evasion techniques successfully circumvent most (all?) of them
§ Our experiments so far only use well-known techniques. Better evasion is possible should it become necessary
21
The 3 simple injection techniques work surprisingly well against common EDR systems Detected
Undetected
Step 1: System Infection. We tested three different evasion techniques (and two base cases) against three leading EDR
solutions, and one antivirus solution. All experiments were run in August 2022.
Cobalt Strike and
Sliver are popular C&C
EDR1 EDR2 EDR3 AV tools to control
Cobalt Sliver Cobalt Sliver Cobalt Sliver Cobalt Sliver infected computers
No behavioral analysis or .exe
Base case. A malware
sandbox evasion .dll that does not try to
Take aways.
§ EDRs are more likely to trigger based on well-known abuse tools like Cobalt Strike, suggesting some level of fingerprinting
§ Malware hiding in .dll’s is less likely to get detected by EDRs
§ EDRs differ in their effectiveness, however some evasion techniques successfully circumvent most (all?) of them
§ Our experiments so far only use well-known techniques. Better evasion is possible should it become necessary
22
After successful injection, the EDR might still detect the hacker based on suspicious actions
Malware is executed Hacker interacts with Hacker collects more Finally, hacker
User interacts with
– either in the delivery the malware remotely information from performs malicious
infected file, e.g. .lnk,
script or deferred with (“command and system and Active actions, like stealing
Office Macro
.dll hijacking control”) Directory or encrypting files
What we covered so far Let’s look at the next steps in the hacking chain …
§ Potential malware get downloaded/executed
as Logo Horizontal § Once the malware is running, we can trigger different malicious actions
§ EDR analyses
Pos / Neg
§ These, too, can get detected by the EDR
§ We use evasion techniques not to get detect § But mostly they are not – see next slide
23
EDR systems only trigger on few suspicious actions Detected
Undetected
Step 2: System Abuse. After successfully starting the malware (in step 1), we are now executing malicious actions of the target.
All tests in this overview are based on the indirect syscall .dll injection technique (from step 1).
Take aways.
§ EDRs are highly ineffective at detecting abuse actions after injection
§ When adding new capabilities, red teamers should avoid the built-in ‘execute-assembly’ option that might trigger an EDR
24
Putting the pieces together: By combining the right injection and abuse strategies, hackers can
fully circumvent common EDR solutions
25
Demo Time
as Logo Horizontal
Pos / Neg
26
Agenda
Effective techniques to
circumvent them
27
Do we even need EDRs on endpoints?
Cobalt Strike
sample
upload to
VirusTotal
as Logo Horizontal
Sliver
Pos / Neg
sample
upload to
VirusTotal
28
Some complimentary controls are available to make up for the protection gaps in EDRs
29
Security software can introduce software bugs, further decreasing their protection contribution
30
Security software can introduce software bugs, further decreasing their protection contribution
as Logo Horizontal
Pos / Neg
31
Take aways
Questions?
Jorge Gimenez <jorge@srlabs.de>
Karsten Nohl <nohl@srlabs.de>
32