Silly EDR Bypasses and Where To Find Them

One of the drawbacks of direct & indirect syscalls is that it's clear from the callstack that you bypassed the EDR's user mode hook.
As you can see from the last image, when a call is done through a hooked function the return address for the EDR's hook appears in the callstack.
What if I do call the hooked function, but do it in such a way that the EDR isn't able to properly inspect the call parameters.
If we can time the change to occur after the EDR has finishing inspecting the parameters, but before the syscall instruction, we can bypass the hook without actually bypassing it.
Pick a ntdll function I want to call that's hooked by the EDR, then place a hardware breakpoint on the syscall instruction.
By placing an execute breakpoint on the syscall instruction we'll be able to intercept execution after the EDR has done its checks, but before the system call occurs.
What we'll be able to do is call a hooked function with benign parameters that won't trigger a detection, then swap out the parameters with malicious ones after the EDR has already inspected the call.
We can even, if we want, change the system call number to invoke a different syscall than the one the EDR thinks we're making.
The hardware breakpoint will be triggered right after the EDR has inspected our fake parameters, but before the syscall instruction transitions to kernel mode.
The second breakpoint handler can then change the parameters back to prevent the modifications being caught by any post-call inspection the EDR might do.
In many cases the EDR won't bother with post-call inspection if the call failed, so we could also just change the EAX register to something like STATUS NOT FOUND, STATUS INVALID PARAMETER, or in homage to the TDSS rootkit: STATUS TOO MANY SECRETS. An example of code flow from a hooked NtWriteFile function.
EDR passes control back to the hooked Nt function to perform a syscall.
The EDR performs any post-call inspection and only sees benign parameters.
A snippet of the EDR's NtSetContextThread hook handler.
We already know the EDR inspects the context struction whenever we call NtSetContextThread(), so let's use that to our advantage.
From a combination of the crashdump and our earlier disassembly, we already know the EDR is trying to read the context->Rcx field into the RDX register.
We could use a disassembler to make a more generic bypass, but since this is just a PoC, we'll hardcode it to this specific EDR version.
So there we have it, two ways to bypass EDR hooks without bypassing EDR hooks.
I'm not sure how practical or easy it would be to turn the forced exception method into a generic EDR bypass.
Since we can't easily change pointers back after the syscall, and it only works with calls where the EDR reads pointers, it's fairly limited.


This Cyber News was published on malwaretech.com. Publication date: Wed, 27 Dec 2023 04:13:05 +0000


Cyber News related to Silly EDR Bypasses and Where To Find Them

Silly EDR Bypasses and Where To Find Them - One of the drawbacks of direct & indirect syscalls is that it's clear from the callstack that you bypassed the EDR's user mode hook. As you can see from the last image, when a call is done through a hooked function the return address for the EDR's ...
1 year ago Malwaretech.com
Windows Incident Response: EDRSilencer - Going unnoticed on an endpoint when we believe or feel that EDR is prevalent can be a challenge, and this could be the reason why these discussions have taken hold. If you look at other aspects of EDR and SOC operations, there are plenty of ...
1 year ago Windowsir.blogspot.com Silence
An Introduction to Bypassing User Mode EDR Hooks - While cross-referencing notes against old blog posts, I realized that I never actually published the majority of my work on system calls and user mode hooking. System calls are the standard way to transition from user mode to kernel mode. On Windows, ...
1 year ago Malwaretech.com
Windows Incident Response: Round Up - MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I'm always interested in things like this because it's possible that the author will provide clear ...
1 year ago Windowsir.blogspot.com
Building A Unified Security Strategy: Integrating Digital Forensics, XDR, And EDR For Maximum Protection - To effectively counter these threats, organizations must integrate Digital Forensics, Extended Detection and Response (XDR), and Endpoint Detection and Response (EDR) into a unified security framework. It involves two main components: digital ...
1 month ago Cybersecuritynews.com
10 Best EDR Tools ( Endpoint Detection & Response) - 2025 - What is good?What Could Be Better ?Provides comprehensive endpoint monitoring.Some users might find the installation and configuration process of the solution tedious.Protect your entire security stack with in-depth threat intelligence.Some users ...
2 months ago Cybersecuritynews.com
Kaspersky Unveils New Flagship Product Line for Business, Kaspersky Next - PRESS RELEASE. Woburn, MA - April 16, 2024 - Today Kaspersky introduced its new flagship product line, Kaspersky Next, combining robust endpoint protection with the transparency and speed of EDR, alongside the visibility and powerful tools of XDR. ...
1 year ago Darkreading.com
New "Bring Your Own Installer" EDR bypass used in ransomware attack - A new "Bring Your Own Installer" EDR bypass technique is exploited in attacks to bypass SentinelOne's tamper protection feature, allowing threat actors to disable endpoint detection and response (EDR) agents to install the Babuk ransomware. ...
1 month ago Bleepingcomputer.com
Apple 'Find My' network can be abused to steal keylogged passwords - Apple's "Find My" location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards. The Find My network and application is designed to help users locate lost or misplaced ...
1 year ago Bleepingcomputer.com
Top 10 XDR (Extended Detection & Response) Solutions - 2025 - CrowdStrike Falcon XDR uses this data to extend EDR outcomes and advanced threat detection across the security stack, thereby stopping breaches more quickly. It does this by using CrowdStrike’s world-class machine learning, artificial ...
2 months ago Cybersecuritynews.com
SentinelOne vs Palo Alto Cortex XDR: Which Tool is Best? - SentinelOne and Palo Alto are two of the top brands in this space, and this comparison will help you decide if either one of the company's tools is right for you. SentinelOne's Singularity platform offers four subscription tiers that include their ...
1 year ago Techrepublic.com
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
2 months ago Cybersecuritynews.com
EDR & Antivirus Solutions Miss Two-Thirds (66%) of Malware Infection - SpyCloud Research - SpyCloud, the leading identity threat protection company, today released new analysis of its recaptured darknet data repository that shows threat actors are increasingly bypassing endpoint protection solutions: 66% of malware infections occur on ...
2 months ago Cybersecuritynews.com
Akira ransomware encrypted network from a webcam to bypass EDR - S-RM confirmed to BleepingComputer that the threat actors utilized the webcam's Linux operating system to mount Windows SMB network shares of the company's other devices. The Akira ransomware gang was spotted using an unsecured webcam to launch ...
3 months ago Bleepingcomputer.com Akira
ThreatDown EDR update: Streamlined Suspicious Activity investigation - Navigating the complex world of alerts just got easier, thanks to our latest enhancements to the ThreatDown Endpoint Detection and Response platform. The detailed technical information in EDR alerts-replete with complicated diagrams and references to ...
1 year ago Malwarebytes.com
MEDUSA Ransomware Using Malicious ABYSSWORKER Driver to Disable EDR - Elastic Security Labs analysts noted that this driver is specifically designed to target and silence different EDR vendors, effectively removing a critical layer of defense against ransomware attacks. One particularly troubling aspect of the ...
3 months ago Cybersecuritynews.com Abyss Silence Medusa
Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware - The method exploits a vulnerability in SentinelOne’s agent upgrade process, allowing attackers to circumvent the EDR solution’s anti-tamper protection without requiring administrative console access or specialized tools. This discovery ...
1 month ago Cybersecuritynews.com
CVE-2022-25837 - Bluetooth® Pairing in Bluetooth Core Specification v1.0B through v5.3 may permit an unauthenticated MITM to acquire credentials with two pairing devices via adjacent access when at least one device supports BR/EDR Secure Connections pairing and the ...
2 years ago
How to turn shadow IT into a culture of grassroots innovation - Total, centralized IT control is no longer practical now that hybrid work and BYOD are here to stay. When users look for new ways to get work done, the solutions they find can be the seeds of innovation and the key to unleashing productivity and ...
1 year ago Helpnetsecurity.com
CVE-2009-2993 - The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows ...
6 years ago
CVE-2009-2991 - Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors. Per: ...
6 years ago
CVE-2009-2988 - Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which allows attackers to cause a denial of service via unspecified vectors. Per: ...
6 years ago
CVE-2009-2998 - Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458. Per: ...
6 years ago
CVE-2009-2986 - Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. Per: ...
6 years ago
CVE-2009-2981 - Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors. Per: ...
6 years ago