Bypass EDR!!
I recently had a chance to get access to a windows 10 laptop system. While this was one of the unique opportunity to learn, I had some hard time bypassing Windows Defender and Symantec End Point.
graph TD A[Windows 10] --> B[Windows Defender] A--> C[3rd party EDR]
1. Windows Defender
Get the status of antimalware protection software
Get-MpComputerStatus
Windows Defender Components and Security Layers
| Layer | Components | Purpose | Command to Check |
|---|---|---|---|
| Hardware Layer | - Secure Boot - Trusted Platform Module (TPM) - Hardware-based Isolation - NEW: Memory Integrity (HVCI) |
Prevents unauthorized software and malware from loading during boot, provides secure cryptographic functions, isolates critical OS parts from malware, and protects the integrity of code running in the kernel. | - Secure Boot: Confirm-SecureBootUEFI (PowerShell)- TPM: Get-Tpm (PowerShell)- Isolation: systeminfo to check Virtualization support- HVCI: Get-CimInstance -Namespace root\Microsoft\Windows\DeviceGuard -ClassName Win32_DeviceGuard |
| Operating System Security | - Windows Defender System Guard - Windows Defender Application Control (WDAC) - Windows Sandbox - Credential Guard - NEW: Kernel DMA Protection |
Protects OS integrity, controls executable permissions, provides a secure environment for untrusted apps, isolates credential data to prevent theft, and protects against DMA attacks. | - System Guard: Check Event Viewer under System Integrity - WDAC: Get-CimInstance -ClassName Win32_DeviceGuard- Sandbox: Enabled in Windows Features - Credential Guard: Get-CimInstance -ClassName Win32_DeviceGuard- Kernel DMA Protection: msinfo32.exe (look for "Kernel DMA Protection") |
| Application Security | - Microsoft Defender Application Guard - Exploit Protection (DEP, ASLR, CFG) - Windows Defender SmartScreen - NEW: Attack Surface Reduction (ASR) rules |
Isolates risky web content, protects against memory-based attacks, blocks access to malicious files and websites, and reduces the attack surface of applications. | - Application Guard: Check Windows Features - Exploit Protection: Get-ProcessMitigation -System- SmartScreen: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer"- ASR: `Get-MpPreference |
| Identity & Access Management | - Windows Hello - Multi-Factor Authentication (MFA) - Conditional Access - NEW: Microsoft Passport |
Enhances authentication through biometrics or PIN, adds an extra layer of verification, applies access policies based on location, device compliance, and risk, and provides a seamless two-factor authentication experience. | - Windows Hello: Check under Sign-in Options in Settings - MFA: Managed at organizational level (no direct command) - Conditional Access: Managed through Azure AD - Microsoft Passport: Get-WindowsPassportStatus (PowerShell) |
| Network Security | - Windows Defender Firewall - Microsoft Defender for Identity - Network Protection - NEW: Web Protection |
Controls network traffic, monitors Active Directory for suspicious activity, blocks access to malicious domains, and provides safe browsing features. | - Firewall: netsh advfirewall show allprofiles- Defender for Identity: Managed in Azure AD (cloud-based) - Network Protection: `Get-MpPreference |
| Endpoint Detection & Response (EDR) | - Microsoft Defender for Endpoint - Advanced Threat Protection (ATP) - NEW: Automated Investigation and Remediation |
Provides EDR capabilities, advanced threat detection, machine learning, behavior analytics, threat intelligence for proactive response, and automated threat remediation. | - Defender for Endpoint: Get-MpComputerStatus (PowerShell)- ATP: Managed through Microsoft Defender Security Center (cloud-based) - Automated Investigation: Check in Microsoft 365 Defender portal |
| Data Protection | - BitLocker Encryption - Windows Information Protection (WIP) - File Integrity Monitoring (FIM) - NEW: Controlled Folder Access |
Encrypts drives, separates personal and corporate data to prevent accidental leaks, tracks changes to critical files for early breach detection, and protects against ransomware. | - BitLocker: manage-bde -status- WIP: Managed through Group Policy or Microsoft Intune - FIM: auditpol /get /subcategory:"File System"- Controlled Folder Access: `Get-MpPreference |
| Cloud Intelligence & Threat Analytics | - Microsoft Threat Intelligence - Cloud Security Posture Management (CSPM) - Threat Analytics Dashboard - NEW: Microsoft Defender Threat Intelligence |
Uses cloud-based threat intelligence, mitigates cloud misconfigurations, provides a unified threat management dashboard powered by Azure Sentinel, and offers a comprehensive view of the global threat landscape. | - Threat Intelligence: Access via Microsoft Security Center - CSPM: Managed through Microsoft Defender for Cloud - Analytics Dashboard: Access in Microsoft 365 Defender portal - Defender Threat Intelligence: Access through the Microsoft Defender portal |
2. 3rd Party EDR
Check version
(Get-ItemProperty -path "HKLM:\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion" PRODUCTVERSION).PRODUCTVERSION
| EDR Solution | Components | Purpose | Command to Check Status | Additional Features | Deployment Model |
|---|---|---|---|---|---|
| CrowdStrike Falcon | - Falcon Sensor (runs as CSFalconService)- Threat Intelligence - Endpoint Detection |
Provides cloud-based EDR for detecting and mitigating endpoint threats. | - Service Check: sc query CSFalconService- Logs: Check under C:\ProgramData\CrowdStrike\Logs |
- Machine Learning - Threat Hunting - Automated Response |
Cloud-native |
| Symantec Endpoint Protection (SEP) | - SEP Client Service (runs as SepMasterService)- Intrusion Prevention - Behavioral Analytics |
Protects endpoints with antivirus, intrusion prevention, and behavioral analytics. | - Service Check: sc query SepMasterService- SEP Console: Use smc -status for client status |
- Device Control - Application Control - Network Protection |
On-premises or Cloud |
| SentinelOne | - SentinelOne Agent (runs as SentinelAgent)- ActiveEDR - Rollback and Remediation |
Provides autonomous EDR with threat detection, response, and rollback capabilities. | - Service Check: sc query SentinelAgent- SentinelOne Console: Access via SentinelOne Console for detailed status |
- Behavioral AI - One-Click Rollback - Ransomware Protection |
Cloud-native |
| McAfee Endpoint Security | - ENS Threat Prevention - ENS Firewall - ENS Web Control |
Delivers endpoint protection with antivirus, firewall, and web control features. | - Service Check: sc query mfeepmpk (or sc query mfefire for firewall)- ENS Console: Open McAfee ePO console |
- Real-time Scanning - Exploit Prevention - Adaptive Threat Protection |
On-premises or Cloud |
| Carbon Black | - CB Sensor (runs as cb service)- Threat Analysis Console - Live Response |
Provides threat hunting, detection, and real-time response capabilities. | - Service Check: sc query cb- Logs: Check logs in C:\Program Files\CarbonBlack\ |
- Streaming Analytics - Threat Intelligence - Endpoint Isolation |
Cloud-native |
| Cisco Secure Endpoint (formerly AMP) | - AMP Connector - Threat Grid Integration - File and Device Control |
Protects endpoints with advanced malware protection and device control. | - Service Check: sc query CiscoAMP- Connector Console: Check AMP Console for detailed insights |
- Malware Protection - Outbreak Control - Vulnerability Assessment |
Cloud-managed |
| FireEye Endpoint Security | - HX Agent - Exploit Guard - IOC Scanning and Containment |
Delivers threat detection and response, as well as Indicator of Compromise (IOC) scanning. | - Service Check: sc query HXAgentService- Logs: Check C:\ProgramData\FireEye\Logs |
- Triage Analysis - Enterprise Search - Threat Intelligence |
On-premises or Cloud |
| Kaspersky Endpoint Security | - KES Agent - Behavior Detection - Application Control |
Provides antivirus, behavioral threat detection, and application control. | - Service Check: sc query AVP- Logs: Located in C:\ProgramData\Kaspersky Lab\KES |
- Network Attack Blocker - Web Control - Device Control |
On-premises or Cloud |
| Trend Micro Apex One | - Apex One Agent - Application Control - Behavior Monitoring |
Protects endpoints with application control, threat detection, and behavioral monitoring. | - Service Check: sc query TmCCSF- Agent Console: Use TmListen to verify agent is running |
- Virtual Patching - Endpoint Encryption - Data Loss Prevention |
On-premises or Cloud |
| Sophos Intercept X | - Intercept X Endpoint Agent - Exploit Mitigation - Ransomware Protection |
Offers EDR with exploit mitigation and advanced ransomware protection. | - Service Check: sc query SntpService- Sophos Central Console: Check for status and alerts |
- Deep Learning - Root Cause Analysis - Synchronized Security |
Cloud-managed |
| Microsoft Defender for Endpoint | - Microsoft Defender Antivirus - EDR Sensor - Threat & Vulnerability Management |
Provides built-in EDR for Windows with cloud-powered security analytics. | - PowerShell: Get-MpComputerStatus- Windows Security app |
- Attack Surface Reduction - Automated Investigation - Secure Score |
Cloud-native |
| Palo Alto Networks Cortex XDR | - Cortex XDR Agent - Behavioral Threat Protection - Network Traffic Analysis |
Delivers XDR capabilities with endpoint, network, and cloud data analysis. | - Service Check: sc query CortexXDRAgent- Cortex XDR Console |
- User Behavior Analytics - Custom Playbooks - Incident Management |
Cloud-native |
| Cybereason | - Cybereason Sensor - NGAV Engine - Behavioral Analysis |
Offers AI-driven EDR with automated threat hunting and response. | - Service Check: sc query CybereasonAV- Cybereason Console |
- Cross-Machine Correlation - Fileless Malware Detection - Guided Remediation |
Cloud or On-premises |
| Bitdefender GravityZone | - GravityZone Agent - HyperDetect - Sandbox Analyzer |
Provides risk analytics and hardening with EDR capabilities. | - Service Check: sc query EPProtectedService- GravityZone Console |
- Risk Analytics - Integrated Patch Management - Full Disk Encryption |
Cloud or On-premises |
| Cylance PROTECT | - CylancePROTECT Agent - AI-driven Threat Prevention - Script Management |
Utilizes AI and machine learning for predictive threat prevention. | - Service Check: sc query CylanceSvc- Cylance Console |
- Memory Exploitation Detection - Device Policy Enforcement - Offline Protection |
Cloud-managed |