The Cat-and-Mouse Game: EDR Evasion Techniques and Countermeasures

Endpoint Detection and Response (EDR) systems are essential in modern cybersecurity, providing real-time monitoring and response capabilities to detect and mitigate threats on endpoints. However, cyber adversaries continually develop sophisticated techniques to evade these defense's, rendering organizations vulnerable to undetected attacks. This blog delves into prevalent EDR evasion techniques, supported by recent research and statistics, and outlines effective countermeasures to bolster organizational security.

Common EDR Evasion Techniques

1. Reflective Loading

Attackers utilize reflective loading to inject malicious code directly into a process's memory without writing it to disk, thereby bypassing file-based detection mechanisms. This technique allows malware to operate stealthily within legitimate processes, evading traditional EDR scrutiny. For instance, reflective loading has been employed to execute tools like MimiKatz while avoiding detection by security products such as Windows Defender.

2. Process Injection

By injecting malicious code into legitimate processes, attackers can mask their activities under the guise of trusted applications. This method complicates detection, as the malicious code runs within the context of a benign process, making it challenging for EDR systems to differentiate between normal and malicious behaviors. Techniques such as using NtCreateThreadEx and NtMapViewOfSection are commonly employed for process injection.

3. DLL Injection: 

Similar to process injection, DLL injection involves inserting malicious DLLs into running processes. This technique is often used to establish persistence and evade detection.

4. Obfuscation and Encryption

To hinder analysis and detection, adversaries often obfuscate or encrypt their malicious code. By disguising the code's true intent, they can evade static analysis engines that rely on pattern recognition. The Cluster Bomb campaign, observed in 2023, exemplifies this approach, where attackers used sophisticated encryption to conceal ransomware payloads, effectively evading traditional security measures.

5. Tampering with EDR Processes

Some attackers directly target EDR processes by attempting to disable or alter them, thereby reducing the effectiveness of endpoint defences. This can involve stopping services, modifying configurations, or exploiting vulnerabilities within the EDR software itself. Such tactics allow malicious activities to proceed without triggering alerts.

6.     Abusing Legitimate Tools

Known as "living off the land" tactics, attackers exploit legitimate system tools to conduct malicious activities. By using trusted applications like PowerShell or Windows Management Instrumentation (WMI), they can perform actions such as data exfiltration or lateral movement without raising suspicion. This approach leverages the inherent trust and functionality of these tools to bypass security controls.

7. Direct System Calls: 

Bypassing standard Windows API calls, and instead making direct system calls. This makes it harder for EDR systems to track what a process is doing.

8. Kernel-Level Rootkits: 

These rootkits operate at the kernel level, providing the attacker with complete control over the system and making them incredibly difficult to detect.

9. Bring Your Own Vulnerable Driver (BYOVD): 

Attackers use signed, but vulnerable drivers to gain kernel level access. Because the driver is signed, it is harder for some security solutions to block.

Notable Instances and Statistics

• Prevalence of EDR Evasion: A study revealed that 94% of popular EDR solutions are vulnerable to at least one common evasion technique, highlighting the widespread nature of this issue.

• Black Market for EDR Evasion Tools: EDR evasion tools are available on the dark web, often sold as subscription services starting as low as $350 per month or $300 for a single bypass. This accessibility lowers the barrier for attackers, increasing the frequency of such evasion attempts.

• Advanced Evasion Campaigns: The Cluster Bomb campaign in 2023 demonstrated the use of sophisticated encryption and obfuscation techniques to evade detection, underscoring the evolving tactics of cyber adversaries.

• According to Mitre ATT&CK data, process injection and DLL injection remain prevalent tactics used by advanced persistent threat (APT) groups.

• Recent reports show a rise in the use of BYOVD attacks. Threat actors are leveraging this technique to bypass security solutions.

• The 2023 CrowdStrike Global Threat Report highlighted the increase in sophisticated ransomware attacks, many of which employ EDR evasion techniques to maximize their impact.

• The use of obfuscation and encryption has increased, as seen in various malware campaigns. This is done to make the malware harder to reverse engineer.

• Reports from various Cyber security firms have shown a rise in rootkit usage, especially in targeted attacks.

Countermeasures Against EDR Evasion

1. Behavioural Analysis

Implementing behavioral analysis allows security systems to detect anomalies in process behavior, even if the malicious code is obfuscated or injected into legitimate processes. By focusing on the actions performed rather than solely on code signatures, organizations can identify suspicious activities indicative of evasion attempts.

2. Memory Protection Mechanisms

Employing memory protection techniques, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), can hinder attackers' ability to execute code via reflective loading or process injection. These mechanisms make it more challenging for malicious code to predictably execute within a system's memory.

3. Endpoint Hardening

Regularly updating and patching endpoint systems reduce vulnerabilities that attackers might exploit for EDR evasion. Disabling unnecessary services and implementing the principle of least privilege further limit the attack surface, making it more difficult for adversaries to perform unauthorized actions.

4. Advanced Threat Detection Solutions

Utilizing advanced threat detection solutions that incorporate machine learning and artificial intelligence can enhance the ability to identify and respond to sophisticated evasion techniques. These systems can adapt to emerging threats by learning from new attack patterns and indicators of compromise.

5. Continuous Monitoring and Threat Hunting

Establishing continuous monitoring and proactive threat hunting practices enable organizations to detect and respond to evasion attempts promptly. By actively searching for signs of compromise and unusual behavior, security teams can address threats before they escalate.

The Ongoing Battle

EDR evasion is an ongoing challenge that requires continuous adaptation and innovation. Organizations must stay informed about the latest threats, invest in advanced security technologies, and foster a culture of security awareness to effectively protect their endpoints.