General
October 11, 2024

EDR – Tampering by attackers

By venkat

Problem: Endpoint detection and response (EDR) software has gained significant market share due to its ability to examine system state for signs of malware and attacker activity well beyond what traditional anti-virus software is capable of detecting. This deep inspection capability of EDRs has led to an arms race with malware developers who want to evade EDRs while still achieving desired goals, such as code injection, lateral movement, and credential theft. This monitoring and evasion occurs in the lowest levels of hardware and software, including call stack frames, exception handlers, system calls, and manipulation of native instructions. Given this reality, EDRs are limited in how much lower they can operate to maintain an advantage. The success of EDR bypasses has led to their use in many high-profile attacks and by prolific ransomware groups.

  • EDR on all my server machines
  • EDR solutions tampered in nearly all ransomware and APT attacks (MITRE ID: T1562.001). 
  • The first steps attackers take to hide their actions.
  • One good example is the Spyboy EDR Killer
  • https://github.com/ZeroMemoryEx/Terminator
  • Living of the land binaries – https://www.loldrivers.io/
  • Develop rules for ransomware TTPs with your SIEM, based on relevant log sources, for example, to detect internal recon, discovery, lateral movement, data exfil or C2 traffic.

TODO – Playbook to respond to this alert when detected.

About The Author

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.