Cat & Mouse - or chess?

Endpoint Detection and Response (EDR) solutions are increasingly used by various companies for attack detection and prevention. These systems aim to provide an overview of potentially malicious activities/behaviours on an operating system in addition to the classic antivirus approach.

To do that, they use for example userland Hooking techniques, Kernel Callbacks, or the Microsoft-Windows-Threat-Intelligence ETW provider (EtwTi). The userland Hooking part is mainly done by loading their own DLLs into processes. This DLL can hook Windows APIs to inspect input parameters, such as pointers for known malicious code. This talk will summarize and explain some of the techniques, that were published over the last years to bypass the userland Hooking specific detections, such as unhooking, usage of direct Syscalls, or patching the EDR-DLL entrypoint. Afterwards, a new approach to block EDR DLLs from loading into a process - and therefore preventing hooks and userland analysis - is presented. The technique can also be used to bypass the Antimalware Scan Interface (AMSI) or any classic Antivirus vendor DLLs.

Endpoint Detection and Response (EDR) solutions use, among others, userland Hooking techniques to detect potentially malicious threat actor activities in running processes. This talk will summarize and explain some different techniques, that were published over the last years to bypass userland hooking based detections. Afterwards, a new approach to bypass them is presented.