Bypassing, Evading and Unhooking Endpoint Security Solutions

According to the most recent estimates, nearly half of organizations experienced a ransomware attack in the last year. Ransomware is no longer considered just a technical threat, but rather the largest single risk to any organization.  

Current endpoint protection (EPP) solutions available in the market, while robust and effective against some threats, obviously do not fully protect organizations against ransomware attacks or we would not keep seeing headlines about high-profile attacks daily.  

Why are ransomware attacks so successful? For many reasons, one key aspect being that ransomware operators are implementing advanced security evasion techniques designed to blind or completely circumvent traditional endpoint protection solutions.

Endpoint Security Under Attack

Very recently, there were reports of a new attack tool called AuKill that abuses MS Process Explorer driver to disable Endpoint Detection and Response (EDR) solutions to deploy stealthy backdoors and ultimately deliver ransomware payloads.

Analysis reveals that AuKill bears resemblance to another open-source tool called Backstab used by the LockBit gang that also abuses the MS Process Explorer driver to bypass security solutions. But these are just a fraction of the tools and techniques attackers use to bypass, unhook, or simply blind endpoint protection solutions.  

For example, attackers have long used what are known as “universal unhooking” techniques to hijack execution flow and to deploy a rootkit, then obfuscate subsequent processes and network connections. Universal unhooking blinds endpoint protection tools to the malicious activity, rendering them ineffective for detecting the attack.

Overall, of the top 20 most active ransomware groups, the majority have been observed leveraging one or more bypass and evasions techniques to get around security tools.  

Pentesting Your Endpoint Security

Simply put, ransomware operators and other threat actors are adept at bypassing security controls, and there are numerous examples of hard-coded AV/NGAV/EDR/XDR bypasses written into malicious code that lets attackers slip by without any detections being triggered.  

The following - as provided on GitHub by tkmru, co-founder and CTO of Sterra Security - are just a few of the bypass techniques and tools available to organizations to pentest the efficacy of their endpoint defenses. Additionally, these tools and techniques can be used when conducting internal incident response exercises with the assumption that endpoint controls can and will be bypassed.  

Understanding how and when endpoint security solutions fail, and what steps should be taken post-failure to ensure defense-in-depth and organizational resilience can better prepare organizations for the (almost) inevitable likelihood they will be the target of a ransomware (or other) attack:

Proof-of-Concept Resources:

• trickster0/TartarusGate: TartarusGate, Bypassing EDRs
• am0nsec/HellsGate: Original C Implementation of the Hell's Gate VX Technique
• Maldev-Academy/HellHall: Performing Indirect Clean Syscalls
• TheD1rkMtr/UnhookingPatch: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
• RedTeamOperations/Journey-to-McAfee
• op7ic/EDR-Testing-Script: Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads

Bypass and Evasion Tools:

• tanc7/EXOCET-AV-Evasion: EXOCET - AV-evading, undetectable, payload delivery tool
• naksyn/Pyramid: a tool to help operate in EDRs' blind spots
• Yaxser/Backstab: A tool to kill antimalware protected processes
• klezVirus/inceptor: Template-Driven AV/EDR Evasion Framework

Bypass and Evasion Presentations:

• Lifting the veil, a look at MDE under the hood - FIRST CONFERENCE 2022
• Dirty Vanity: A New Approach to Code Injection & EDR Bypass - Black Hat Europe 2022
• talks/Diego Capriotti - DEFCON30 Adversary Village - Python vs Modern Defenses.pdf
• Develop Your Own Rat

Additional Resources:

• Living-Off-the-Blindspot - Operating into EDRs’ blindspot | Naksyn’s blog
• PEP 578 – Python Runtime Audit Hooks.
• Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe | by bilal al-qurneh | Medium
• State-of-the-art EDRs are not perfect, fail to detect common attacks - The Record from Recorded Future News
• An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors
• A tale of EDR bypass methods | S3cur3Th1sSh1t
• In-Memory Execution in macOS: the Old and the New | Meta Red Team X
• MrEmpy/Awesome-AV-EDR-XDR-Bypass: Awesome AV/EDR/XDR Bypass Tips

And one more – this great presentation discussing insights on EDR inner workings and evasion options from Karsten Nohl and Jorge Gimenez:  

• EDR EVASION PRIMER FOR RED TEAMERS

Organizations require both a robust prevention and an agile resilience strategy to defend against today’s more complex ransomware attacks. This includes endpoint protection solutions despite the fact that they can be bypassed or unhooked in certain instances. This is why resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning.

As attackers continue to automate efficiencies in the attack progression to exploit known vulnerabilities for initial access, improve bypass and evasion techniques for stealthy payload delivery, security teams need to better understand where and how their organizations are at risk, and take steps to prepare for the inevitable.‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.