EDRs are everywhere, but relatively little is known about how the tools work and how to effectively circumvent them. We are effectively trusting black boxes to protect our endpoints. This presentation discusses insights on EDR inner workings and evasion options gathered over several years of intense red teaming.
We will cover:
Test lab results: The wide range of EDR choices from terrible to effective; bonus: ZERO DAYS!
Reverse engineering results: How EDRs work internally
Successful attack techniques: EDR evasion methodologies; including:
Leverage Windows APIs for injection attacks
Unhook functions
Implement and masquerade your own syscalls
These insights help defenders and testers: Blue teamers will better understand how much to rely on EDR; and red teamers will find an organization’s weakest link more quickly.
===
Jorge is a Security Consultant at SRLabs focused on infrastructure pentesting and Red Teaming. He has deep expertise in Endpoint protection, Malware Development, and Active Directory hacking.
---
Karsten is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them. Karsten is the Chief Scientist at SRLabs in Berlin where his professional work includes testing telcos for hacking issues.