cyber-triage-logo

How EDR Evasion Works: Attacker Tactics

Endpoint Detection and Response (EDR) tools are an important part of any company’s cyber security efforts. That’s why attackers are constantly trying to evade them and avoid detection.

This article is a high-level overview of EDR evasion. It’s more about the concepts than the details of specific tactics, which could be fixed at any time. The goal is to give a framework to recognize how hard it is to avoid attackers. 

EDRs play a critical role in detecting attacks, but you will also need investigation tools to respond to EDR alerts. 

For those who prefer videos, we discussed these ideas in our recent webinar “What EDRs Miss.”

You can get the recording here

How Do EDRs Work?

Let’s first start with a high-level overview of how EDRs work: 

  • Most EDRs have a cloud-based server
  • You install an agent on each of the endpoints
  • The agents send data to the server for analysis
  • The server looks for malicious activity and generates alerts
  • Analysts can review alerts from the server

How EDRs work.

For the sake of EDR evasion, we’re going to focus on 3 high-level steps from the above: 

  1. The agent has sensors that observe activity on the endpoint
  2. That data is sent to the server 
  3. The data is analyzed and alerts are generated for malicious activity

There are of course hundreds of details to each of those steps, but those are the key ones to understand the basic EDR evasion concepts. 

What Is EDR Evasion?

EDR Evasion is when an attacker uses tactics to prevent EDRs from generating alerts. If you refer to the previous section, it’s to make sure step 3 never generates an alert.

There are a variety of EDR evasion tactics that work on different types of EDRs. Some of them are fixable by the EDR vendor and some aren’t. 

A great resource is the “Evading EDR” book by Matt Hand. 

How Does EDR Evasion Work? 

There are 3 main ways that EDR evasion works:

  • Blinding: The EDR sensors don’t get to observe the activity
  • Blocking: The data doesn’t get to the server for analysis
  • Hiding: The data doesn’t get flagged as malicious

These three categories line up with the flow we previously outlined. An ‘X’ represents the various places that attackers try to evade the EDR.

Let’s go into each a bit more and provide some examples. 

Evading EDR Sensors with Blinding

This tactic works because it causes the activity to not be observed and therefore not analyzed.

There are several agent concepts to understand with respect to how they can miss the activity: 

  • Multiple Sensors: The agent includes several types of “sensors” that are each designed to observe different parts of the computer. Ex: One may focus on files, another on processes, and another on PowerShell. 
  • Configurable: Settings dictate what an agent observes. IT teams may disable sensors to save resources and attackers may disable them to hide activity. 
  • Robustness: Some of the sensors use operating system features that were not designed for security, so attackers can manipulate them. 
  • Attackers Adapt: Attackers constantly try to avoid EDRs and find ways to do things that current sensors will not observe. 

Here is a non-comprehensive list of ways that attackers try to avoid the initial observation: 

  • Configure the EDR to ignore activity in a certain folder. 
  • Avoid using “hooked APIs” that the EDR is monitoring. Example.
  • Use folders that are already being ignored (based on official configs)
  • Detect and disable the services and processes associated with an EDR agent. 
  • Unload an EDR’s “Event Tracing Consumer” so that it doesn’t see event messages generated by other applications. Example.
  • Install their own “File System Minifilter” that will cause the EDR’s “File System minifilter” to never see file activity. Example.  

There are many more tactics that fall into this category of EDR evasion.

Evading EDR Analysis with Blocking

Some tactics focus on preventing the data from getting from the EDR sensor to the server for analysis.

They do this by changing the host’s networking infrastructure so that a connection is not made to the EDR server. 

As an example, “EDR Silencer” adds a Windows network filter to block traffic to the EDR servers.

To be clear, some detections do happen within the agent, but if the agent cannot communicate with the server, then the analyst will never see it. 

Note
Both this and the previous technique mean that the EDR server does not know about the attacker activity. So, if your Digital Forensics and Incident Response (DFIR) team is looking for evidence from within EDR data, the activity will not be there.

Evading Detection with Hiding

Lastly, some tactics rely on not getting detected. The data makes it to the server, but doesn’t trigger an alert.

There are many examples of how attackers try to evade detection: 

  • Obfuscation: Code is obfuscated to make it harder to know if it is good or bad.
  • Living Off The Land: Using existing and non-malicious tools that are normal in some environments. 
  • Slow: Performing activities slowly so that they tend to blend in and it’s harder for the EDR to correlate them. 
  • Unique Data: Some detection techniques rely on exact matches from previous attacks. Attackers will use unique hashes, IPs, and file names. 

The Impact of EDR Evasion

The impacts of EDR evasion are that:

  • Missed Detections: Attackers may be able to operate without detection. This means that when an alert is generated, you need to look for prior activity that was not detected.
  • Incomplete Data: When you investigate, you should rely on other collection tools because the EDR may not have all of the data.

This is why we recommend security teams have a tool like Cyber Triage, which enables them to investigate an endpoint after an alert and collect additional data. An endpoint triage allows you to quickly identify if the attacker:

  • Installed malware or command and control tools
  • Laterally moved between other hosts
  • Exfiltrated data

EDRs can be very powerful at detecting and collecting data, but additional investigation tools are needed once an alert has been generated.

Be Prepared To Investigate

Your organization needs to be prepared to respond when you are suspicious about endpoints, regardless of if you are notified from an EDR, NDR, or help desk ticket. EDR alerts will not tell the full story and EDRs do not have all of the data.

If you need an investigation platform to investigate EDR alerts, then you can try out Cyber Triage for 7-days. Its collector can deploy via your EDR to get more data and you can get clues about what else happened on the system.

 

You can download Cyber Triage from here.

Blog