EDR Evasion Primer

[Music] Jorge you're here to talk with us today about EDR evasion primer yep what does EDR stand for uh uh to be honest and foreign detection response I think it is sorry I just always say that I apologize sorry well cool um what does security research Labs do are they who based in Berlin yep uh your research mostly but do we do all kind of research also in Telco networks and stuff like that sounds fun are you hiring yeah I think so well you know where to find Jorge if you have questions about the talk or about the company yeah a round of applause please welcome Jorge

uh hello everyone it's really nice to be here um talking about one of the things that uh I love the most for the past year which is Idi arabicion the idea of this talk is to give a number of idea of how I an idea works and a set of techniques that you could use to uh bypass any EDR like not uh not individual flowers of any of them but a set of techniques that you can use and a set of flowers that are present in any EDR out there and in the end uh we'll see how we can compensate these small gaps that we can find in any EDR um in the market basically

so first a bit of me I'm Jorge I'm a red team realizer labs and yeah I focus mainly on Windows security active directory and and red teaming and also for the past few few months mostly about endpoint security preparing our payloads for for engagements so a bit of background we obviously do red teaming so in every engagement we do from a few months ago I would say about a year ago we always find an EDR so debating IDR has become one of our main main objectives because we usually face them every time we try to get initial access because of that we have a small test lab with a few idrs each of them running in an individual

virtual machine and independent from each other all of the features of the adrs are enabled the only feature that is missing is obviously cloud cloud sample submission because we don't want there has to be shared and we don't want our samples to be to be submitted but every other feature including Cloud analysis uh with all the eocs that the EDR has everything that is included uh we we have 3drs uh Defender for endpoint which is basically the enhanced Microsoft Defender semantic EDR which is an EDR foreign semantic vendor and instantaneous one which is basically uh the EDR from Sentinel one one of the first edrs that were available um and yeah and also an antibiotics

reference but we are not going to mention which one um the results of this of this test lab were obtained in August 2022 but they are still pretty relevant because they are mostly the same so first how will the Arts work um we are going to divide the analysis in three kind of analysis uh the first two analysis are the ones you can find basically in any antivirus and that would be a static and dynamic analysis static analysis would be just looking at the file content and see if there's any malicious pattern inside and make the decision based on that and dynamic analysis would be basically just looking uh executing the sample in a control

environment we call sandbox and decide if it's small is used or not based on that EDR as a new capability a new layer of capabilities which is basically what we call behavioral analysis and basically that means that the malware is going to be executed on the host uh on the host computer and it's going to get all the all the data that has that it come from it like all the Telemetry and based on that it's going to decide if our malware is my issues or not and if that's the case it's going to kill it and create an alert but let's look at it a bit closer so static analysis would be the kind of

analysis we do when a user has downloaded the file first the EDR what you're going to do is going to analyze the file content and look for malicious patterns these patterns can be anything like strings domain names assembly Snippets IP addresses file hashes whatever the things that are inside the file and that can be obtained statically based on this it has to make a decision is this malicious or not sometimes it's not only that it finds one thing malicious but a combination of several things and it makes a decision obviously a good example would be if you're if you're if you're pale if you're if your binary has a meta potential code or coval style shell codes things that you

know that are really bad on that are really bad and are that are going to perform malicious actions that will be flagged what we can do to avoid this is uh obviously obfuscate or encrypt the sections of our binaries that we know are malicious and that we know that could be suspected and could be could be analyzed by an EDR but in this case we need to be really careful with the obfuscation or encryption techniques we use because the encryption technique or the decryption technique can be uh can be flagged by itself so we could be flagged no but not by by the content of the file but does it think that the technique we are using

to decrypt our malicious content so that's uh that's good if we Implement our own techniques uh when we are creating malware in Dynamic analysis we take a different approach so the file has bypassed static analysis is not malicious so what the idea is going to do is going to execute the same sample in a control environment in a sandbox and in some box you can see more of these patterns you can see for example if the malware is performing network connections to a normal IPS if it's performing ready to changes for example or even if it's accessing memory reuser is student for example if it's reading Elsa's or accessing different processes then with this information it has to

make a decision and see if the malware is malware or not um if it's if it's obviously bad it's going to remove it and if no it's going to keep it what we can do to bypass this kind of analysis is to make our malware clever enough to understand if it's inside the sandbox that could be done in a lot of different ways some of them will be for example check the number of core processors because usually some boxes are limited in resources or check or check the RAM memory we have we can also perform some some sandbox some sandbox based on techniques focusing several users for example we can get the domain name of

the user we are targeting to make sure it's only executing on a certain domain or by a certain user and if that's the case and if it's not what we are looking for then we escape from the execution before doing the malice activity if we recognize wearing a Sandbox we just escape and we should bypass a dynamic analysis also it's worth mentioning that if we Implement lots of techniques of a building Dynamic analysis that could be flagged by itself if we are checking the memory size the processors everything basically the EDI is going to is going to get a bit angry at us and it's basically going to also delete the file so be careful with how many techniques

you implement to about sandbox and then we get into a tricky part which is basically a behavioral analysis and is the thing that DDR is implementing in this case you can see the representation of a common uh price injection technique in which we allocate memory we write our payload in that memory region and we create a new thread to to execute that payload uh you see two things here and it's currently 32 and mtdll Canada 32 will be the abstraction of ntdll and ntdll the low level Library um in which basically most of the libraries of Windows depend this is a low level library that interacts with the kernel and the EDR wants to know what is

happening in these low-level libraries so what the idea is going to do is that it's going to modify so first it's going to load ntdll and that DDI is going to load its own dll and it's going to modify ntdll in memory placing some hooks to redirect the execution analyze our Behavior uh to make it simple for example in a in a call to Virtual dialogue what I would what it would do is first call virtual allocated memory which is a low level function an ntlo cable memory would go first to the ADR analyze what is inside and then go to the kernel and execute the call with this information DDR knows exactly what we are doing in real time

and can make a proper decision about about over binary and see if it's malware what we are what we are actually executing now let's see some effective techniques to circumvent uh to recommend these protective methods specifically about Behavior Analysis that we haven't mentioned a bit of background in this case we are obviously applying bicep base oppression to base Sebastian to everything so we are evading static analysis encrypting our payloads animating Dynamic analysis by implementing some sandbox Sebastian techniques and we are going to explain three techniques the first technique will be unhooking which is basically removing the hooks the second technique will be direct system calls which means that we are calling the kernel instructions going through a different

way and the third technique will be under existing goals in which we are going to do the same but with a different approach so let's take a look at this this will be vital log which we discussed and we are Implement injecting our mail or payload we have bypass static analysis and dynamic analysis and we are trying to inject in a different process so we allocate memory but the EDR is going to catch our Cisco instruction or always over Cisco and it's going to analyze what's inside and as we are allocating a known a known payload that the idiot knows is malicious it's going to kill our process what we can do and like the

first approach like anyone would take would be to just remove these hooks they are living on user lines so they are living in a in an area with which the user can interact to and can remove them so the idea would be to remove the this overwritten ntdll they did the DDR has overwritten and I will write it with our custom ntdll with our first copy from disk that has not been modified how we obtain this copy really uh could be in a different way but we know that ntdll is only modified in a certain part of part of the execution so at first ntdl has to be in in the in the disk completely unmodified so if we just read

it directly from disk we can get a fresh copy and modify our in-memory ntdll over writing it with the original one without any hook we can also get a different approach because reading into dll could be a bit suspicious and we can start a process in a suspended State and copy entry data from there before the EDR has even placed its hooks so you can really get creative the objective is to get a first copy of ntdll and override your in-memory ntdll to remove these Hooks and make the EDR completely blind but we came a problem we came across a problem doing this and is that accessing it dll the first technique is common flag because it has been

used by a lot of actors and also the API calls we are using to override mtdll are also hooked which means that the EDR is looking at you while you are trying to keep him blind which is not a good approach a different a different approach to the same problem would be something we call Direct system calls indirect system calls what we are going to do is to implement our own system goals inside uh inside our binary that means that instead of going through and through ntdll we are going to be calling them directly from our malware in this case we need one parameter to to create our Cisco and that will be the system service number uh basically it

identifies which Cisco are we are we going to execute in this case for example you we have the system service number or NT allocate bit on memory and and we have a problem I that and the problem is that this system called the system service number varies from Windows version to Windows version so if we don't know which system we are targeting we are going to get a really hard time um implementing all of the system service numbers available in every Windows version they can also be obtained dynamically and it has been conveniently automated in some tooling like this Whisper 2 who had made easy to weaponize this technique and it's really easy to implement with

that approach once we have our system service number our system or Cisco instruction implemented you can see that we are calling um you work we are calling the kernel function directly from our malware and not going through ntdll and in that case ddrc is nothing but again we Face a different problem and is that having a Cisco instruction in our malware is something also suspicious and there's a few software normally use out there that is performing ciscals from inside if you think about it um also only the loader we are creating here is a completely uh is letting the DDR blind but everything we do after that is still so it's still uh going to

be analyzed because the hooks are still in place the EDI still sees what we are doing so this is not a perfect approach in this case to obey the first problem having the Cisco instruction directly in our malware we can do something that we do that we can call indirect system calls in a direct system codes what we are doing is that we are going to prepare again our assembly assembly instruction in in in our malware but instead of that we are going to scrap uh ntdll and find a valid Cisco instruction any Cisco instruction is valid and we are going to jump there instead of calling calling italics from our malware that way the Cisco instruction is called

directly from ntdll which is how it's supposed to be um and we don't rely on having a Cisco instruction directly on our malware which is really good uh because it bypass most of the detections uh we saw before now before going into the actual test lab results uh let's see some windows internals thinking things up uh to those of you who are not used to Windows uh we are going to explain uh two type of binaries.texan.dll.texa is the common binary you can think that you double click and execute um it is designed to run independently and it has its own memory space because of this EDR vendors are looking closer to to this kind of binaries

so it's harder to bypass then we have dot dll which is the Linux implementation of cell libraries and they need a host process to be loaded so they share the the memory space with the with the process is loading the dll that means that it's way harder for the ADR to detect what is happening because the malicious actions are coming from anomalysis normalysis process sorry [Music] uh now let's see a bit of the results we have in this case uh there's a lot a lot to explain so I'm going to be a bit by bit we test uh all three techniques again against three different edrs the three different ideas we introduced in the beginning and we use two different

payloads color strike and sliver cover strike is the basically The Benchmark for EDR vendors to test how well it's performing and is a common control that has been used and has been abused by thread actors for many for many many years sleeper by the other hand is a open source framework also a common control um and it's getting right recently but it's still not as much as Cobalt strike the first thing we can see is that if we build our payload inside a dll and it is loaded by another process it really helps as you can see two techniques that I see scores and that exist calls were both detected when we were building a

DOT XA but we're completely undetected whether we were hiding inside a dll another thing we can see is that the texting we found is partly based on Cobalt strike so the EDR has some signatures that is targeting a color strike because it's the Benchmark of the of the industry and when you are using a different payload that is not cover strike you are having a way easier time that you have a really easier time injecting your payloads also we can see that there's two techniques that work in every EDR and Antivirus we tested and they are dioces called antioxis cause we discussed that sometimes the EDR could flag statically the word Cisco but as you can see in all

the areas we tested this wasn't the case now before go before continuing let's see uh how an actual injection looks like because we have talked about how we land our payload how we land cover strike or sliver in a host with an idiot running but after that we want to do more stuff we just test injection but we didn't test we didn't test uh what we can do after that so for example the first thing would be a user opening a shortcut file or a macro and getting injected over payload so the model is executed and then what we are going to test now is all the actions that we can perform once we are

inside um inside the host once we gain control of that host um and as you can see uh dynamic dynamic analysis of an EDR is not really good the red is the things that are completely undetected so ah in this section we we can see some actions we perform for example some really common actions we need to perform to conduct a successful red team engagement the first thing you see is opening a stock tunnel um to people through the network and to tummy lower connections to that uh internal Network and that was completely detected in every EDR and this is one of the key features we need when we are using a command and control all other

thing would be that exfiltration so downloading downloading files from from the host computer and one thing that both edrs include is key logging and it was only detected on one EDR and only on Cobalt strike so we can infer that it was only coval strike that was detected another key login activity itself it was only a signature strike we can also add new capabilities for that we have uh for example execute assembly who allow us to run a Cesar binary directly in memory without touching disk this is a feature that has been used a lot and that is still used but uh uses something called fork and run that means that we spawn a new

process and inject our content in that process because of that it's a common activity that has been abused for the last few years and is wide detected is detected in everyday in cover strike and only in one in one EDR in sliver but still is something you should avoid based uh conduct conduct actions based on fork and run uh we can also to to avoid this run for example big economic files that are pieces of code that can be run directly from the from the command control and directly in the same process if we run everything in the same process with the protections we have previously specified uh we can for example run none of them to dump Elsas

or subhound to enumerate active directory and that was completely undetected and another approach to the same problem would be in line execute assembly which indeed exactly perform the same action that execute assembly is doing but instead of expanding a new process and doing fork and run injects in the same process and in that case it's completely detected so we can infer also that the activity uh was detected because of fork and run and not because execute assembly by itself the takeaway from here is that edrs are highly ineffective detecting Dynamic actions and the main uh the main area in which they they can be effective and that they are effective is detecting uh the first injection when you are getting

initial access but before continuing let's see a full kill chain because I told you everything and you need to believe me but let's see a real scenario in which we are injecting from from nothing to a host a computer in which they're certainly they are running because of this I'm going to explain two different bypasses that we need to implement in order to to create a a realistic kill chain uh they are not part of it all but they are really easy to understand we want the user to download a shortcut but we cannot download shortcuts from from from from browsers basically because it's not allowed so what we are going to do is just flip the file tip

our shortcut inside a file and that would bypass the browser protection the second thing we Face mostly in every in every organization that this material enough is a blocker which prevents us from running certain applications so what we are going to do is that point this shortcut that the user is done loading to an internal application that is that is that is present in every Windows available so it's called login and because of this we can execute this application because it's part of Windows and is signed and Trust by the system one thing that it's mshca has which is the loading we are using is that allow us to download and execute remote payloads from our server uh their HTML

applications that can be extended and can be for example uh use things as jscript which allow us to execute arbitrary code the second step we do folks and our payload is going to do is that the HTML application is going to download a dll application and place it in the themes folder once in the teams folder hijacking vulnerability we are going to get persistence and we are going to get a remote connection every time the user opens Microsoft teams now let's see a demo which is a video because I didn't trust myself you can see that first I receive an email and I'm going to download the the zip file because I obviously trust my

EDR I'm spending a lot of money so I'm going I'm going to be completely secure I wait a bit

almost there I open the file and you can see here that it says it's a shortcut but it looks like a PDF and if you copy to this to a desktop it looks like an actual PDF so it can be tricked the user can be tweak into thinking that he's used he's opening an actual PDF here you can see that Prof api.dll is missing which is a dll we are going to download next now we open the PDF and a system loaded from the internet it shows this pop-up but after a few seconds it's going to it's going to open a real PDF so it's going to mimic the real behavior of a PDF and the user can be tricked into

thinking that okay it worked a PDF can can does nothing wrong of course uh now Prof API is already there so let's see what happens if we open Microsoft teams

we got a session and we now have control of that computer and we can do basically whatever we want whatever of the of the things we explained before in the dynamic analysis part we can for example I don't know um list files foreign you can see that we are on the teams folder as expected because that's from where we're injecting we can enumerate processes to see if there's any analysis process we like any any this detection system within uh we didn't anticipate and we can do something that is not really useful for red teamings but it's quite scary and he's taking screenshots in this case we are going to take two screenshots and move a bit the

the window to show you that I'm not cheating foreign

yes so there you have the two screenshots so we have fully compromised A system that has an idea running and the key to this was basically the touching the execution from the download as you as you saw our first stage or where PDF document didn't do anything malicious it's just open a random document and download the dll into the themes folder but the team's application was actually the one that was executing our payload so the EDR really hard really had a hard time correlating those two events if we did completely uh in like uh if we eat everything in one in one payload it would be way way easier for the ADR to attack those two actions

and to correlate that there's a release activity so as long as you want to build a initial keychain you need to find ways of the teaching of the touching these these two steps uh to be successful in a relation in in an initial access foreign how we can compensate this protection gaps we find on the EDR one question we can make is if we really need EDI on our endpoints because I came here and I told you that I can bypass every VR and they are useless in Dynamic analysis and you can think okay then why why I should pay for an EDR but the truth is that they are really useful they make corporations way harder to

compromise if we know that an EDR is running it's way harder for us to to perform actions we are going to stay we are going to um we are going to invest much more time in testing every action we perform in our test lab and we are going to be much more careful with whatever we do and also when we are performing a red teaming there are certain actions that when there's an EDR it's not worth doing for example if there's an idea running maybe it's not worth to dump else and burn our whole operations over whole operation to get uh to get a we don't know the access it has so really an EDR slows an attacker a lot

it makes way harder for an attacker to navigate through the network if there's an EDR every EDR can be abated but every EDR is going to make your life much harder because you need to double think everything you do and also if you are running a small company an India is probably the best addition you can have as they are not cheap but they are probably cheaper than a set of good analysts and they are going to give you a lot of information of things that are happening your network about initial access about they are going to prevent you probably against most of the automated things that you can see on the internet they are really useful for that but they are

not perfect if the industry is telling you that an EDR is going to attack everything that happens that's food but they are really useful for what they intend to be that is a a nice tool you need to have to detect actions inside the network some external methods that we can have to improve our our resilience would be heavy monitoring on common external compromise vectors if you for example have a secure external perimeter and there's no zero day maybe you are good to go you are good to go but still the attacker is going to try to get to your network through external uh compromise vectors and you need to to see why your user is downloading a shortcut you need

to uh obviously um check why your user is on loading macro documents from the Internet or why your user is opening ISO in a in a in a in a business laptop also you need to secure your active directory and make sure that there's no there's no attacker that lands on a workstation and can get to the main admin from there so you need to follow the the guidelines of Microsoft for for tier zero and for the tier instructor and make sure that um that you review with every every couple weeks no every couple weeks but every every couple times uh to make sure that is working as intended and also you need to perform thread

hunting on the on the on the data the ADR is uh is giving you that the limited of the ADR is really useful like um some of the things that the EDR uh is not showing you for example is that when I did the attack actually in the EDR back-end there was some choices of what I was doing but it's just that it wasn't that um it wasn't that important for the ER to show it to the user but you have a set of analysts that is performing and creating custom rules they probably would see what I was doing because there's a lot of telemetry that the idea is capturing and that is worth for any company to analyze so if you

have an EDR the best thing you can do is perform threat hunting and analyze uh the data the ADR is giving to you and also one thing that uh I I don't see that much in a while but that is really useful if you have a company that can implement it is running else as protest protected versus slide and basically prevent it from prevent it from being dampened um it depends on the scenario and there used to be some bypasses I think now are patch but is it possible to prevent you from dumping Elsa's and it way it will uh it will make the life of an attacker way harder because that's a really common scenario of lateral movement so

running else as protected process light is a really easy thing you can do by running a GPO for example and if your company can run this kind of uh can run in predictable process light then you should definitely do it because it's going to wait it's going to get a way harder for an attacker to move laterally um one thing uh one of our colleagues found in one of our engagements is that also edr's are are software that Implement tax and this is really really really really dangerous because this software is deployed in basically every endpoint of a business and that's uh you can think uh if you think about it it's really crazy because if someone compromised the

back end of an EDR you can do whatever he wants so uh in this case in one of the over engagements we gained access to the back end of an EDR through default credentials and we also uh one of our colleagues found uh three CBS um that were high severity the CBS are quite easy to understand and basically the EDR has some endpoints that uh and through unauthenticized unauthenticated HTTP request you can get the decoys uh which basically are the things that the EDI is placing for you to to uh to check and if you check it uh then an earth is triggered so you you know exactly what not to touch and you also can find the exclusion rules

which is something that is really powerful if you are performing a rhythm and engagement because you know exactly what the EDR is not analyzing so as final takeaways uh every EDR can be segmented with enough time and that's a fact and if you may invest enough time you are going to bypass any VR that is is going to face you but the truth is that EDR really slow down trackers and that's to be the objective and the takeaway we take for here areas are useful but we need to uh we need to understand what what are they useful for they are useful because they are going to Mark to make our life much harder not

because they are they are going to prevent any attacker from getting into your network finally there you need to implement some complementary controls to make sure uh your Lydia is not the only thing to rely on so you need to build custom rules you need to do thread hunting on the ADR you need to do some uh hardening on your network you cannot rely entirely in DDR but if you want to start uh increasing your security I feel like it's a good point uh for the starting point so that will be all and it says questions but I think there's no question so that's all foreign