Skip to content

Implant AV and EDR Evasion

Jump to bottom
zusmani26 edited this page Mar 28, 2023 · 4 revisions

Antivirus & Endpoint Detection and Response Evasion

AV and EDR evasion is needed for an effective red team as they have to bypass any frontline software defense

Examples of Antivirus (AV)

  • Microsoft Defender
  • McAfee Total Protection
  • Norton 360

Examples of Endpoint Detection and Response (EDR)

  • FireEye
  • CrowdStrike
  • Symantec

Antivirus (AV) detects and searches for any malicious software. If detected or found it can prevent or remove them. The detection/scanning techniques are signature-based detection, behavior-based detection, and smart scans.

Two types of evasion techniques, static evasion vs dynamic evasion

Static Evasion

  • Primarily used to get through signature-scan
  • Goal is to send the program in with a build that cloaks it as something other than malware
  • Examples of technologies to do this are Cyclic Redundancy Check Algorithm and Cryptographic Hashes

Dynamic Evasion

  • Program changes behavior when reaching antivirus environment
  • Attempts to change behavior until in an environment where it can execute malwaere away from the antivirus
  • Examples of technologies that can help in this process are Metasploit framework and PE packers

Endpoint Detection and Response (EDR) obtains data from endpoints. Endpoints are devices connected to a network. EDR analyzes the data and flags any suspicious findings. It will activate automated defenses such as isolation. At the end of it, EDR will build a threat profile to see if new threats are from the same source as previous ones.

Evasion methods include:

AMSI Bypass

  • Altering code such as strings and functions that may trigger AMSI
  • Examples of technologies that are used for this are Agent Tesla remote access trojan (RAT)

Unhooking

  • The process of loading malicious memory calls behind normal memory calls that are distracting and taking up the EDR process
  • Examples of technologies used for this are things like Windows API syscalls and ntdll.dll

Reflective DLL Loading

  • This is where a hacker takes a dynamic link library (DLL) and put into a process. Since EDR's really look for DLLs at a disk level this can work as trojan horse as sorts and go under the EDR's radar
  • Examples of technologies that are used for this are Cobalt Strike evasion framework
Clone this wiki locally