Alexey Balandin, Security Vision
To date, it is impossible to imagine endpoint protection without an EDR system, which, unlike outdated antivirus software, is based primarily on behavioral analysis of events occurring in the system. The need for this system has increased dramatically over the past 10 years, due to the fact that threats are being improved from year to year. It has long been obvious that it is possible to effectively counter attackers not so much through static code analysis, signature method, as through studying, analyzing and blocking their behavioral patterns, tactics, techniques and procedures used. This is what the EDR product class is doing and is actively developing due to the constant replenishment of the knowledge base on new attack methods. The flip side of the coin is that attackers are not standing still and are developing new ways to bypass and counteract EDR. Next, let's look at the EDR bypass techniques that have been most popular with attackers over the past 5 years.
In this article, antivirus bypass techniques will be considered only partially, which is often part of the EDR itself. The main focus will be on reviewing techniques aimed at bypassing behavioral EDR algorithms. Below is a list of bypass techniques, which we will discuss further.
1. Process Hollowing and Classic DLL Injection
2. Reflective DLL Loading
3. API Unhooking, Manual mapping
4. ETW patching
5. Direct Syscalls, Indirect Syscalls
6. Bring Your Own Installer (BYOI)
7. Bring Your Own Vulnerable Driver (BYOVD)
8. DLL Hijacking & Side-Loading
9. Service Abuse
10. Living Off The Land utilities
1. Process Hollowing and Classic DLL Injection
These two long-standing techniques of Code Injection are aimed at embedding code into legitimate processes in order to increase privileges, evade Application Whitelisting, and antivirus.
Process Hollowing replaces the code of a legitimate, running process with a malicious one, preserving the name and metadata of the process. This is achieved by creating a process in a suspended state, unloading/replacing its image in memory, adjusting the context, and resuming execution. The technique requires working with the PE format, relocations, imports, and the context of streams, and effectively masks malicious activity. It is implemented in the following stages:
1. Creating a process in a suspended state (CreateProcess with the CREATE_SUSPENDED flag)
2. Getting the context and memory addresses of the target process (NtQueryInformationProcess)
3. Release or deletion of the original code (NtUnmapViewOfSection)
4. Placing a new (malicious) PE image in the process memory (VirtualAllocEx, WriteProcessMemor)
5. Updating tables and context (SetThreadContext)
6. Resuming execution (ResumeThread)
Classic DLL Injection is historically the very first and easiest to implement technique for injecting code into a process, which is based on opening a process, allocating memory, and creating a remote thread that calls LoadLibrary and loads the required DLL library. Due to its simplicity, this technique is used by EDR to load their DLL files into target processes, followed by the installation of Win32 and Native API hooks.
These techniques can be easily detected by modern EDR solutions based on their characteristic API sequences and behavior, so they are rarely used by attackers.
2. Reflective DLL Loading
A method of running code in which a DLL library / shellcode is loaded from memory using its own minimalistic PE loader, bypassing OS tools, without affecting the disk. Stages of implementation:
1. Payload preparation
A special module (Reflective DLL or shellcode) is being created that is able to resolve its dependencies and perform initialization on its own. It contains a built-in loader that mimics the actions of the system (LoadLibrary and GetProcAddress).
2. Placing the target process in memory
The memory for the implementation is allocated using system calls like VirtualAlloc or VirtualAllocEx. The payload is then written to the target process via WriteProcessMemory or similar direct write methods.
3. Reflexive loading
After getting into memory, the code calls its own loading function. Often this stage is activated via CreateRemoteThread, NtCreateThreadEx, or a call to an already existing function (for example, RtlCreateUserThread).
The loader inside the payload performs:
- finding the addresses of LoadLibraryA and GetProcAddress functions,
- reading the PE header tables,
- manual import resolution and adjustment of bindings.
4. Code execution in the context of the process
Control is transferred to the main logic of the embedded code, now it works in the address space of the target process. Standard Windows APIs are used to perform the specified actions (for example, VirtualProtect to change memory rights, if necessary).
5. Cleaning and hiding traces
After execution, temporary memory sections are freed (VirtualFree), and the PE structure can be overwritten or erased to make analysis more difficult.
Due to the fact that this technique does not use LoadLibrary, it is executed entirely from memory, it is more secretive in comparison with the classic DLL Injection. It is also easily detected by the characteristic chain of system calls, but despite this it is widely used in C&C frameworks.
3. API Unhooking, Manual mapping
The hooks installed by the EDR are essentially modifications to the code in the process memory. An advanced VPO can detect them and restore the original byte sequence, restoring the code to its original state. For example, if the EDR installs a hook on the NtAllocateVirtualMemory function (to detect the allocation of RWX memory regions), the VPO can download a clean copy. ntdll.dll and return the modified byte sequence to its original state by removing the hook. Further, EDR will no longer be able to control calls to this function. It sounds like an effective way, but EDRS have learned to detect it by periodically checking the functionality of hooks and restoring them if a hook is deactivated.
Manual Mapping is a method in which the VPO loads a clean copy into memory. ntdll.dll . In this case, the LoadLibrary function is not used to load the library. ntdll.dll in order to be more secretive. In this case, calls to the functions of interest go through the loaded clean ntdll.dll Thus, the EDR is unable to influence them in any way. The disadvantage of this method is that during the memory scan, the EDR can detect a copy. ntdll.dll , which will serve as an indicator of an attack. A more secretive way is to load the code of the function you are interested in into memory instead of the entire library.
4. ETW patching
For EDR, ETW is a very valuable source of telemetry for many types of events: .NET, network activity, DNS, RPC, LDAP, WMI, kernel events, etc. Therefore, bypassing/deactivating ETW is one of the priorities for an attacker in the fight against EDR.
The most popular way to bypass ETW is by patching functions that generate ETW events – EtwEventWrite, NtTraceEvent. The patching algorithm is as follows:
1. Getting the address of the VirtualProtect function via GetProcAdrress
2. Getting the address of the EtwEventWrite function via GetProcAdrress
3. Setting the RWX memory attributes to the address of the EtwEventWrite function via VirtualProtect
4. Adding code instructions to the beginning of the function that make it meaningless, for example, ret or xor rax, rax; ret
5. Restoring the original memory protection attributes at EtwEventWrite via VirtualProtect
These manipulations are performed by the VPO or hack tool in the context of its process in order to remove it from the ETW field of view. You can do them with another process that the VPO can interact with, but in this case you will need to make a call to WriteProcessMemory, which may attract unnecessary attention from the EDR.
You can also patch functions that call EtwEventWrite internally, such as LDAPSearchLoggingClientTraceEventNoReg, which is responsible for generating LDAP telemetry
If EDR does not monitor global ETW manipulations, you can first get a list of tracing sessions, then disconnect the necessary ETW providers from these sessions using the EnableTraceEx2 function or using the command
logman TRACE_NAME --PROVIDER_NAME --ets
In turn, you can stop tracing sessions using the following command
logman.exe stop TRACE_NAME -ets
For example, you can do this with Sysmon and deprive it of ETW events as a source of telemetry.
ETW telemetry can also be controlled via the registry and environment variables. For example, setting the environment variable COMPlus_ETWEnabled or the ETWEnabled registry key of the HKCU section:\Software\Microsoft\NetFramework at 0 causes the generation of .NET platform events to stop.
5. Direct Syscalls, Indirect Syscalls
This technique can be considered as a logical development of outdated techniques of IAT hooking and Inline API hooking. It is based on the idea that Native API functions contain instruction sets (staffs) that are adapters to the corresponding core functions. The adapter consists of the following instructions:
mov r10, rcx
mov eax, SSN
syscall
ret
SSN (System Service Number) is the number used to access the required system call in the System Services Dispatching Table (SSDT). The artificial use of such adapters makes it possible for an attacker to access the kernel functions bypassing ntdll.dll being sure that it will not be intercepted by EDR at the level of the hook installed in the Win32 API and Native API (ntdll.dll ). An unpleasant nuance of this technique is that Microsoft often changes the system call numbers (SSNs), so the SSN hijacked in the stable will result in it being operational only within the current version of the Windows build. For example, the NtCreateThreadEx system number for Windows 10 is 1909 - 0xBD, for Windows 10 20H1 – 0xC1. As a result, Hell's Gate and Halo's Gate techniques have appeared that dynamically resolve system call numbers, thus eliminating the need for their hardcode inside the assembler stub.
The Direct Syscalls technique has two characteristic indicators for EDR:
1) The syscall instruction, located in the middle of the assembly stack, is executed outside the address space ntdll.dll.
2) The ret instruction is located and points to an address outside the address space ntdll.dll.
Both of these nuances are extremely atypical for legitimate Native API functions. As a result, to overcome these circumstances, as a further development of Direct Syscalls, the Indirect Syscalls technique appeared.
Schematically, the Indirect Syscalls technique is shown in the following figure.
Indirect Syscalls
As you can see in the diagram, as in the case of Direct Syscall, we bypass the Win32 API layer and partially bypass the Native API by executing an unconditional jmp instruction on the syscall from ntdll.dll, followed by the ret instruction. Thus, this avoids the appearance of indicators typical for Direct Syscalls, which were discussed above.
Indirect Syscall is not a silver bullet for an attacker, because in the process of implementing this technique, as a result of substitution of syscall and ret instructions, the upper frame of the call stack is spoofed, but the lower stack frames continue to point to the original exe/dll. EDR, using ETW and tracing the stack, will detect this anomaly and is likely to regard it as an indicator of malicious activity.
6. Bring Your Own Installer (BYOI)
Modern EDR and antivirus solutions are mostly equipped with self-protection mechanisms and cannot be terminated or deleted without authorization. However, during the legitimate reinstallation or upgrade process, the agent service is stopped or deleted. The attackers have adopted this technique, in which, after launching the installer, it becomes possible to stop or delete the agent. In this case, the attacker must have administrator privileges to run the installer (most often it is msi or .exe file). By interrupting the installation at the moment when the agent is stopped or deleted, the host is in a state vulnerable to further launch of the VPO.
From real cases using this technique, we can note the Babuk cryptographer attack, when the attackers compromised a server accessible from the Internet and increased its privileges. Next, the SentinelOne installer was launched and interrupted after a while, which led to the deactivation of the agent. The Babuk encryptor was running on the host, but the installed EDR could not affect it in any way. To mitigate the threat, SentinelOne recommended that users enable the local authorization feature. The SentinelOne incident showed that local authorization must be enabled without fail during the launch of the EDR installer.
7. Bring Your Own Vulnerable Driver (BYOVD)
As mentioned in our last article, this technique involves downloading a vulnerable legitimate driver (currently there are more than 700 of them in the LOLDrivers project) in order to deactivate the EDR/antivirus, bypass their protective mechanisms (shutting down processes, deleting kernel-level callbacks, closing process handles, unloading EDR drivers, bypassing the protection mechanism PPL processes). The necessary conditions for carrying out this attack are: the attacker has full administrator rights, as well as the absence of the hash of the driver used in the blacklist of vulnerable drivers from Microsoft or in the relevant Sysmon rules.
The popularity of this technique is constantly growing, as new samples regularly appear on the list of LOLDrivers. In addition, some legitimate tools come in conjunction with vulnerable drivers and can be used to carry out this attack (Process Explorer, Process Hacker, Gmer). In 2023, a toolkit was sold on the darknet, designed to deactivate a number of antiviruses and EDRS. Speaking of BYOVD, it is also necessary to note the simplicity of its implementation due to the fact that it is standard practice to grant the user the administrative authority on the host required to install the driver, as a result of which in most cases an attacker does not need to upgrade privileges after compromising the account.
The following incidents can be noted from the cases of application of this technique:
1) In 2022, the BlackByte cryptographer used a vulnerable SI Afterburner driver (RTCore64.sys ) to deactivate a number of EDRS.
2) In 2022-2023, the AvosLocker encryptor used the legitimate Avast Anti-Rootkit driver (aswArPot.sys ) to disable antiviruses.
3) At the beginning of 2023, the AuKill tool was involved in at least three incidents related to the cryptographer's attack. This tool is based on the outdated vulnerable Process Explorer driver (procexp.sys ) is an example of abuse of a legitimate tool.
To mitigate this threat from the vendor, as well as from the OS, a blacklist of drivers must be maintained and regularly updated, blocking their download.
8. DLL Hijacking & Side-Loading
As part of this technique, an attacker exploits the directory selection procedure when downloading a library by a legitimate application. If the library download path is not explicitly specified in the application, the very first directory in which the library will be searched is the application directory itself. Thus, if the application does not have an explicitly specified download directory and there is no verification of the digital signature of the library, this makes it possible to place it next to the vulnerable one.The exe file of the application is a malicious DLL library that will be downloaded when the legitimate one is launched.the exe file. The consequence of this will be the launch of malicious code in the context of a trusted application, which in turn can lead to privilege escalation and circumvention of the security mechanisms of the SPI and OS. This is the DLL Hijacking technique and its variant DLL Sideloading – when an attacker does not need to install a vulnerable application on the attacked host, it is enough to deliver and run the corresponding .exe application and place the DLL with malicious code next to it.
The following applications of this technique can be noted:
1) In 2024, the Todycat APT group exploited a vulnerability in the ESET command line scanner (ecls.exe ), who was insecurely downloading the library version.dll from the working directory. The attackers placed malware next to the .exe file of the scanner. version.dll which allowed them to bypass antivirus checks and execute their code in the context of a trusted ESET application. Next, a vulnerable legitimate driver was loaded, through which the kernel structures were modified and the subscription to kernel security notifications was disabled. Thus, it was a case of a combined attack in which the DLL Sideloading technique was combined with BYOVD.
2) In mid-2022, the LockBit APT group exploited a vulnerability in MpCmdRun.exe — the Microsoft Defender console utility, which was insecurely downloaded MpClient.dll , which led to the launch of the Cobalt Strike beacon and the complete compromise of the host. This case is notable for the fact that Microsoft Defender was supposed to prevent the execution of malicious code, but was unable to do so due to exploiting a vulnerability in its own component.
A distinctive feature of this technique is that it copes very effectively with the task of hiding malicious code in the context of legitimate trusted applications, which significantly increases its survival rate.
To mitigate this threat: On the vendor's side, it is necessary to use secure library download paths, use digital signature verification; on the security side, it is necessary to detect legitimate application launch events from atypical directories, as well as legitimate applications downloading unsigned libraries, especially from temporary directories.
9. Service Abuse
As part of this technique, the attacker manipulates the OS settings to deactivate or bypass the EDR without exploiting vulnerabilities. An example of this technique is restarting the OS in safe mode, in which the EDR and its protective capabilities may not function. In this case, the VPO can carry out its actions without encountering any opposition from the EDR. An example of using this technique is the case of infection with the Snatch cryptographer in 2019. He installed his service on the system with the reboot command in safe mode and added the Run registry key for startup. After restarting the system in safe mode with antivirus and EDR turned off, Snatch started encrypting files. You can also give an example of the case of the Black Basta cryptographer, who rebooted the system in recovery mode and deactivated the installed EDR.
To mitigate this threat, EDRS must request authorization before booting the system into recovery mode, safe mode, and signal this.
10. Living Off The Land utilities
We described this technique and how to use it in detail in one of the previous articles. One of the effective ways to implement it is to bypass EDR using Microsoft tools or those developed by other trusted vendors. The following is a list of LOL utilities, broken down by the tactics of the Mitre ATT@CK matrix. These utilities do not arouse suspicion among many EDRS now, or earlier, for a long time and are actively used by intruders.
1. Network Intelligence (Advanced IP Scanner, Angry IP Scanner)
2. Privilege escalation: Nsudo (privilege escalation to SYTEM, Trusted Installer)
3. Bypassing protective mechanisms: Process Explorer, Process Hacker
4. Access to authentication data (removing LSASS dump, receiving login/password data): Sysinternals procdump, Deepl CreateDump, Avast AvDump; NirSoft ChromePass, PasswordFox, Remote Desktop PassView, Mail PassView
5. Collecting data from the network, host: Powershell Active Directory module, adfind, adrecon, psrecon, Kansa, wmi
6. Horizontal movement: PsExec, WMIC
7. Command and Control (TeamViewer, AmmyAdmin, Dameware, AnyDesk)
8. Causing damage (data encryption, data mashing): BitLocker, DiskCryptor; SDelete
Mitigation of this threat is the maintenance of black/white lists of applications (WDAC, AppLocker).
Conclusion
The article provides an overview of EDR circumvention techniques, both simple and more complex, requiring some training and knowledge from the attacker. There are techniques that have been in service with intruders for a long time, and there are those that have appeared relatively recently. All of them are united by the fact that none of them is a silver bullet in the fight against EDR. Each of them can be detected in a timely manner by direct or indirect signs. If the following conditions are met, the risk of successful operation of each technique can be eliminated or minimized:
1. Comply with the principle of minimum authority, if possible, do not give users administrative accounts on the ARM.
2. Install system updates regularly, as well as EDR updates.
3. Regularly evaluate the effectiveness of the installed EDR by conducting cyber training or at least by running RedTeam utilities aimed at bypassing and testing EDR.
4. Maintain blacklists of applications and drivers.
5. Respond promptly to EDR service alerts, especially those related to configuration changes and component shutdowns and EDR self-protection.
.jpg)
