Over the last 10-12 years, EDR solutions have become a mainstay in endpoint defense. The reason for the dramatic adoption of EDR solutions was because Anti-Virus (AV) solutions at the time were (and still are) unable to detect a new wave of undetectable threats. Document-based attacks with macro’s and fileless malware contributed to the inevitable downfall of AV as we know it.
The adoption of cloud-based and on-premises EDR solutions is said to be growing at a rate of 26% annually and estimated at a value at $7.2 Billion by 2026. Unfortunately, EDR’s are no longer the “Silver Bullet” they once were due to advances in detection avoidance techniques and the utilization of AI written code.
Advances in the efficiency of EDR automation and the incorporation of EDR into centralized platforms have made it an essential solution that can significantly help teams prevent and detect attacks quickly and effectively. After many years of success, EDR solutions have become the backbone of many strong cyber-defense initiatives. Despite being a significant advancement in endpoint protection, EDR tools are not perfect.
Attack Vectors Against EDR’s
The continued development of new attack vectors requires adaptation involving extending protection and detection beyond endpoints. XDR is one example of this extension. Malware authors over the last 4+ years have figured out ways to bypass EDR detection using several novel approaches. A recent study found that nearly all EDR solutions are vulnerable to at least one EDR evasion technique. XDR solutions may be able to detect anomalous activity where EDR’s cannot, but XDR’s may not necessarily identify that activity as malicious, merely “suspicious”, and unwarranted for further investigation dependent on SOC Team workload and resources.
This reinforces why it is important to have an automated sandbox technology working in combination with EDR and XDR technologies. Working autonomously in conjunction with each other, this alignment of technologies will enable SOC Teams to positively identify advanced evasive threats quickly when EDR’s alone are no longer capable.
Common EDR Bypass Tools
Some common EDR bypass techniques and tools found in the cybersecurity community include:
1. ScareCrow:
Scarecrow is a payload creation framework designed to help security professionals understand and simulate various techniques for bypassing Endpoint Detection and Response (EDR) solutions.
2. Meterpreter:
A popular payload within the Metasploit Framework that can evade some EDR solutions by using techniques like in-memory execution and process injection.
3. Cobalt Strike:
A commercial penetration testing tool that includes features for evading EDR solutions, such as process injection, reflective DLL injection, and obfuscation techniques.
4. Empire:
A PowerShell and Python post-exploitation framework that includes techniques for evading detection by EDR solutions, such as using in-memory execution and encrypted communication.
5. Shellcode Injection Tools:
Various tools allow injection of shellcode into processes to avoid detection by EDR solutions.
6. Obfuscation Tools:
Tools and techniques that obfuscate or encrypt payloads to avoid detection.
These involve using legitimate system tools and processes to perform malicious activities, which can be harder for EDR solutions to detect.
8. Bypassing EDR by Manipulating Memory:
Techniques involving direct memory manipulation or using advanced code injection methods.
EDR Bypass | Scarecrow
The most popular and successful EDR Bypass tools use several different techniques including DLL Sideloading, Code Injection, Userland API Hooking and AI written code using ChatGPT. Today, we’re going to focus on a CPL (Code Path Load) Sideloading EDR Bypass tool called Scarecrow.
Scarecrow is a payload creation framework designed to help security professionals understand and simulate various techniques for bypassing Endpoint Detection and Response (EDR) solutions. It focuses on methods like CLP Sideloading to evade detection by EDR’s.
Here’s a brief overview of how Scarecrow and CLP Sideloading work:
Scarecrow EDR Bypass Framework
Scarecrow performs the evasion techniques that attackers use to bypass EDR solutions. It provides a controlled environment for understanding how these techniques can be used and how to defend against them.
The framework includes various tools and methods for testing and simulating bypass techniques. It’s primarily used for research and security testing purposes.
CLP Sideloading
CLP (Code Load Path) Sideloading is a technique used to evade detection by exploiting how code is loaded and executed within an environment. CLP Sideloading involves manipulating the code load paths of applications to execute malicious code in a manner less likely to be detected by other security tools. This technique leverages the way in which software applications locate and load libraries or modules.
ScareCrow in Action:
When executed, ScareCrow will copy the bytes of the system DLLs stored on disk. The DLLs are then stored on disk and used by the system to load an unaltered copy into a new spawning process. Placing a malicious library in a location where legitimate applications are expected to load it from, attackers can fool the application into executing the malicious code instead of the legitimate one.
Once the EDR hooks are removed, ScareCrow then uses custom calls to load and run shellcode in memory. ScareCrow uses the same technique even after the EDR hooks are removed, helping to avoid detection by hooking-based telemetry tools or event logging mechanisms. Attackers can also adjust environment variables or application settings to point to other malicious code or libraries.
ScareCrow also contains the ability to do process injection attacks.
Evasion:
EDR solutions monitor and analyze both user behavior in addition to path and application behavior. By sideloading code through unconventional or unexpected paths, attackers seek to avoid triggering any EDR alerts. Some sideloading techniques involve dynamically loading code at runtime, which can evade static analysis and detection methods used by some EDR systems.
The main challenge for EDR solutions in detecting CLP Sideloading is that it often involves subtle changes in code execution paths that may not be immediately obvious. EDR systems need to be able to monitor and analyze dynamic code loading and path changes effectively.
Defensive Measures against CLP Sideloading
To defend against CLP Sideloading and similar techniques:
- Keep Systems Updated: Regularly update and patch systems to mitigate vulnerabilities that could be exploited through sideloading.
- Use Application Whitelisting: Ensure that only approved applications and libraries are allowed to run.
- Implement Strong File Integrity Monitoring: Regularly check for unauthorized changes to critical files and libraries.
- Monitor and Analyze Load Paths: Track and analyze code load paths and environment variable changes for suspicious activity.
Understanding these techniques is crucial for developing robust security measures and ensuring that EDR solutions are configured to detect and respond to sophisticated evasion methods.
How VMRay Can Help with EDR Bypass Detection
VMRay technology can be used to identify malicious activity such as process unhooking, modified code execution paths, and code injection using Deep Analysis by detonating the suspicious binary in a sandbox environment.
Whether a known or a previously unknown Zero-Day, all malicious activity is recorded and reported, in addition to identifying the IOCs and artifacts to be leveraged by Detection Engineering Teams to block future attacks and Threat Hunting Teams to identify anomalous activity in their network environment.