Analysis of methods for bypassing modern EDR endpoint protection systems
DOI:
https://doi.org/10.30837/rt.2024.2.217.05Keywords:
endpoint protection system, EDR, SOC, AMSI bypass, unhooking, reflective DLLAbstract
The purpose of the article is to review and analyze the methods of bypassing complex solutions for endpoint protection (EDR). The article highlights and describes the salient features of each of the EDR bypass methods and provides recommendations for countering them. EDR (Endpoint Detection and Response) is a type of cross-platform software currently most commonly used for event monitoring, security incident generation and formalization, and incident response. For each method and tool, example of it’s useand advantages and disadvantages are described. The article will be useful for cybersecurity analysts who want to deepen their knowledge of EDR and strengthen endpoint security. It will provide readers with an insight into EDR bypass techniques and help them apply recommendations to reduce the risks of EDR bypass during cyber ttacks.
References
Когут Ю.І. Кібервійна та безпека об’єктів критичної інфраструктури : практ. посіб. Київ : Консал-тингова компанія «Сідкон, 2021, С. 132–214.
Ушатов В., Сєвєрінов О.В. Проблеми оперативного виявлення і реагування на інциденти інформа-ційної безпеки. 2019.
Sievierinov O., Ovcharenko M., Vlasov A. Enterprise Security Operations Center // Computer and in-formation systems and technologies. 2021.
Баклан Я.А., Сєвєрінов О.В. Аналіз систем захисту кінцевих точок від складних загроз EDR // End-point Detection and Response. 2022.
Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade an-tivirus software. Yehoshua Nir, 2021.
Malware Tech Blog [Електронний ресурс]. Режим доступу: https://malwaretech.com/2023/12/silly-edr-bypasses-and-where-to-find-them.html.
Malware Tech Blog [Електронний ресурс]. Режим доступу: https://malwaretech.com/2023/12/an-introduction-to-bypassing-user-mode-edr-hooks.html.
Infosec Write-Ups Blog [Електронний ресурс]. Режим доступу: https://infosecwriteups.com/exploring-antivirus-and-edr-evasion-techniques-step-by-step-part-1-6459563b12ea.
IRed Team Blog [Електронний ресурс]. Режим доступу: https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.
Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems. Matt Hand, 2023.
GitHub репозиторій Awesome EDR Bypass [Електронний ресурс]. Режим доступу: https://github.com/tkmru/awesome-edr-bypass.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).