—- Title: Evading EDR —-
Excerpts
- Applying Brittle vs. Robust Detections ‘Brittle detections are those designed to detect a specific artifact, such as a simple string or hash-based signature commonly associated with known malware. Robust detections aim to detect behaviors and could be backed by machine-learning models trained for the environment. Both detection types have a place in modern scanning engines, as they help balance false positives and false negatives.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
- Exploring Elastic Detection Rules
‘One of the only EDR vendors to publicly release its detection rules is Elastic, which publishes its SIEM rules in a GitHub repository. Let’s take a peek behind the curtain, as these rules contain great examples of both brittle and robust detections.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
- Agent Design
‘The static scanner An application, or component of the agent itself, that performs static analysis of images, such as Portable Executable (PE) files or arbitrary ranges of virtual memory, to determine whether the content is malicious.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
‘The hooking DLL A DLL that is responsible for intercepting calls to specific application programming interface (API) functions.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
‘The kernel driver A kernel-mode driver responsible for injecting the hooking DLL into target processes and collecting kernel-specific telemetry.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
‘The agent service An application responsible for aggregating telemetry created by the preceding two components. ‘
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
[Screenshot Figure 1-2 The basic agent architecture]
2 Function hooking-DLLs
‘rather than implementing syscall instructions in every function that needs to interact with the kernel, Windows provides them via functions in ntdll.dll. A function simply needs to pass the required parameters to this exported function; the function will, in turn, pass control into the kernel and then return the results of the operation.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
‘In earlier versions of Windows, vendors (and malware authors) often placed their hooks on the System Service Dispatch Table (SSDT), a table in the kernel that holds the pointers to the kernel functions used upon invocation of a syscall.’
‘With the introduction of Windows XP in 2005, Microsoft made the decision to prevent the patching of SSDT, among a host of other critical structures, using a protection called Kernel Patch Protection (KPP), also known as PatchGuard, so this technique is not viable on modern 64-bit Windows versions. This means that traditional hooking must be done in user mode. Because the functions performing the syscalls in ntdll.dll are the last possible place to observe API calls in user mode, EDRs will often hook these functions in order to inspect their invocation and execution.’
Fragment uit Evading EDR (for True Epub) Matt Hand Er zijn mogelijk auteursrechten op dit materiaal van toepassing.
Asynchronous procedure call (#APC):
An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread. When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function. An APC generated by the system is called a kernel-mode APC. An APC generated by an application is called a user-mode APC. A thread must be in an alertable state to run a user-mode APC.
https://learn.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls
How to use APC for shellcode execution: https://redops.at/en/blog/shellcode-execution-via-asynchronous-procedure-calls