A New Sophisticated Technique Evades EDR


In the rapidly evolving, complex threat landscape, EDR companies are constantly racing against new vectors.

Recently, Helvio Benedito Dias de Carvalho Junior (aka M4v3r1ck) from Sec4US has developed an innovation called “HookChain.” It is an IAT hooking-based technique that utilizes dynamic SSN resolution and indirect system calls. 

HookChain enables advanced evasion by invisibly redirecting Windows subsystem execution flows to traditional Ntdll. dll-monitoring EDRs without any code modifications.

HookChain EDR Detection

This game-changing work challenges cybersecurity norms and covers ways for adaptive protection strategies that continuously evolve in light of the need for strong security brought about by constant evolution. 

HookChain has greatly advanced endpoint Knowledge, which consequently prompted the development of proactive solutions aimed at more robustly dealing with dynamic threats.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

An EDR (Endpoint Detection and Response) agent consists of multiple software components that collect, handle, and send information on OS activities to a central analysis engine. 

This machine decides what the user wants by considering all acquired telemetry data.

EDR agents use numerous modules and data sources to achieve this surveillance, although the number, kind, and location of modules can differ in each product. 

A New Sophisticated Technique Evades EDR
Basic architecture of the agent [1, p. 10] (Source – Arxiv)

However, its main purpose is still to gather wide-ranging knowledge about endpoint operations to enhance threat identification as well as response capabilities.

Here below, we have mentioned all the most common agents and modules:-

  • Static Scanner
  • DLL Hook
  • Kernel Driver
  • Agent Service

Windows functions through a distinct division between user and kernel modes, with a hypervisor layer operating on the highest privilege ring (ring 0).

Researchers said user applications are executed in user mode (ring 3), while the operating system kernel, system services, and drivers are executed in kernel mode.

When a user application calls the WriteFile function, it transitions from user mode to kernel mode through System Service Dispatcher, which validates and routes the request to an appropriate kernel implementation.

This design ensures that processes created by one user do not have direct access to sensitive system data or functions.

The transition between various protection rings uses certain CPU instructions and pre-defined calling conventions.

According to Microsoft’s updates, the numbers for these calls keep changing to become more secure.

Windows user-mode image loader in Ntdll.dll handles the loading of executable (PE) and library (DLL) files with their defined import tables listing external dependencies. 

During load, the Import Address Table (IAT) gets populated with the memory addresses of referenced functions, accommodating requirements like ASLR. 

Endpoint Detection and Response (EDR) tools leverage function interception (“hooking”) to insert monitoring logic by manipulating an application’s control flow before and after imported function calls. 

A New Sophisticated Technique Evades EDR
Execution Flow After HookChain Implant (Source – Arxiv)

Common hooking approaches include using JMP/CALL instructions or directly modifying the IAT at runtime when the monitored application loads. 

This allows EDRs to analyze and potentially control the application’s behavior transparently for security monitoring purposes.

The HookChain technique demonstrates high efficacy in bypassing the security monitoring and controls implemented by the EDR solution. 

Across the EDR solutions evaluated, HookChain achieved an 88% success rate in circumventing these defensive layers, rendering them ineffective against this evasive approach.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 



Source link