In a recent penetration test i had the pleasure to battle with a well known EDR system. The result was so surprising that I would like to report about it here.
Pattern based detection
The first lesson to learn was that EDR relies heavily on pattern based detection of malware. I had some evidence to support this thesis: known malware and attack patterns were detected and reported immediately.
The sticking point at this time, however, was that I already had a remote shell with NT system rights in which I tested the detection of the „known“ malware.
Bypassing EDR
So how did i manage to get so far without triggering EDR? This was so easy that i myself didn’t even noticed what i already did.
I’ve just been using self created remote shells, so no kind of pattern machting was able to detect them.
System access was possible with gathered credentials and abusing a service running as system.
Both kept undetected by EDR.
Pattern evasion
With a reliable shell i deceided to start powershell. The strong focus on pattern recognition should help me to bypass AMSI. So i just used a heavy obfuscation and a manual approach to disable AMSI. That worked like charm on the first try.
Loading additional powershell scripts didn’t raise any alarms.
Muting EDR
For completeness I have tried to silence the EDR. This was a task of minutes! I had several options. The core idea was to stop communication to the cloud. As i had enough rights to configure Firewall or DNS Resolution i was able to block that communication. From there no more alrams even for well known tools like mimikatz have been raised. Even abusing dumped credentials from lsass for lateral moving didnt trigger any alert.
Lessons learned
Within minutes using trivial methods EDR can bei bypassed! I won’t share any details here, but you know pattern evasion has a thousand possibilities. Blocking traffic is quite simple, too.
So what can a defender do? First, really evaluate your product of choice before implementation!
Second, listen also to the quiet sounds.
Even low suspicious events may be the tip of the iceberg. Be sensible and investigate – early!
Ask yourself, how could this happen? Why don’t I see more messages?