Recently @NinjaParanoid and I had some short discussion about #EDR bypasses.
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses:
In this thread🧵 I'd like to share my view on EDR bypasses and it's various types from both
offensive & defences sides.
There are three types of EDR bypasses:
1. Technical capabilities bypass
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation:
Everything is simple here. EDR isn't capable to collect some telemetry. This is a technical problem, the lack of the feature. Look at dark blue stripes below from @MITREattack evaluation:
If I remember correctly, @jaredcatkinson called this type of bypass as "pure EDR bypass", I like this name too😉
EDR development team should remove such telemetry collection ability gaps. In some cases it's quite easy, in some - very difficult.
EDR development team should remove such telemetry collection ability gaps. In some cases it's quite easy, in some - very difficult.
Compare adding a new ETW provider support against getting RPC telemetry, only a few EDRs in the world have the latter.
From offensive side, thanks to MITRE evaluations this type of bypass is kind of "on surface" for every well-known EDR.
From offensive side, thanks to MITRE evaluations this type of bypass is kind of "on surface" for every well-known EDR.
2. EDR configuration bypass
As I recently mentioned - nobody needs EDR which affects their PCs, critical servers and finally business.
If EDR is able to collect all telemetry it doesn't necessary mean it does this🤔
As I recently mentioned - nobody needs EDR which affects their PCs, critical servers and finally business.
If EDR is able to collect all telemetry it doesn't necessary mean it does this🤔
That's why EDRs have various aggression level settings and the most aggressive ones are rarely turned on in a real environments.
From defender's perspective EDR config tuning is a constant trade off between performance/EPS & detection capabilities⚖️
From defender's perspective EDR config tuning is a constant trade off between performance/EPS & detection capabilities⚖️
From offensive side, EDR's config is hidden this time, as well as bypass vector, but it doesn't mean it's can't be discovered.
3. EDR detection logic bypass
Even with the right collected telemetry every #EDR may be bypassed using particular TTP. But it's very difficult for an attacker to remain undetected during the whole Kill Chain path.
Even with the right collected telemetry every #EDR may be bypassed using particular TTP. But it's very difficult for an attacker to remain undetected during the whole Kill Chain path.
From defensive side, this bypass type is quite easily to eliminate if your hunters team is working hard & have enough time for detection rules development and tuning.
As an evidence of this, we can see how some initially "weak" EDRs demonstrated impressive results during the last @MITREengenuity evaluation. Most likely it means, that EDR already had a good technical collection capabilities and their hunters team have done a great work😤👏
• • •
Missing some Tweet in this thread? You can try to
force a refresh
