EDRs are everywhere, but relatively little is known about how the tools work and how to effectively circumvent them. We are effectively trusting black boxes to protect our endpoints. This presentation discusses insights on EDR inner workings and evasion options gathered over several years of intense red teaming.
We will cover:
Test lab results: The wide range of EDR choices from terrible to effective; bonus: ZERO DAYS!
Reverse engineering results: How EDRs work internally
Successful attack techniques: EDR evasion methodologies; including:
- Leverage Windows APIs for injection attacks
- Unhook functions
- Implement and masquerade your own syscalls
These insights help defenders and testers: Blue teamers will better understand how much to rely on EDR; and red teamers will find an organization’s weakest link more quickly.