DeepSec 2020 Talk: EPP/EDR – Unhooking Their Protections – Daniel Feichter
More and more we see in our penetration tests, that companies do not just rely on the traditional endpoint protection (EPP). Instead they began to add an additional EDR to the existing EPP or they use an EPP/EDR combination from different vendors like Microsoft, CrowdStrike, Endgame etc.
Compared to EPP, an EDR is not designed for the prevention of malware, but for detection, response and hunting. EDR systems have a high process visibility at the endpoint. This makes it possible to conduct malware analysis based on the monitored behaviour. For that some EPP/EDR products under Windows rely on the technique API-Hooking.
API-Hooking is a method to check executed code (via APIs) for malicious content by interception. For this purpose, the EPP/EDR software injects its own .dll into the address memory of a process.
In simple terms, the executed code is redirected to the EPP/EDR .dll so that the code can be analyzed for malicious content.
However, Kernel Patch Protection (KPP) aka Patch Guard forces the EPP/EDR software to perform API Hooking in user-mode. This makes it possible to bypass user-mode API-Hooking by techniques like ntdll.dll mapping or direct system calls. There are some EDR products which rely heavily on user-mode API-Hooking. Depending on the product we could observe that for example ntdll mapping can have a very heavy impact on the further recognition by the EDR system.
However, testing of different EPP/EDR products also showed that EPP/EDR manufacturers rely not only on user-mode mechanisms, instead they use kernel-mode mechanisms like kernel callbacks. Depending on the product, it may be sufficient in the context of credential dumping to bypass the user-mode component (API-hooking) for successful credential dumping. For other EPP/EDR products, however, it is not sufficient to bypass only the user-mode API-hooking. In order to successfully dump credentials using Direct System Calls, for example, the kernel callbacks registered by device drivers must be removed.
Daniel Feichter studied industrial engineering and management at MCI in Innsbruck. After successful completion, however, he decided to work in the field of IT security.
By the company Strong-IT from Innsbruck he got the opportunity for an IT security internship in 2018 despite being an IT security newcomer. Since then he has found his new professional home in IT-Security and the company Strong-IT.
His focus is on Windows Environment Red Teaming and Research. Among other things, he is intensively engaged in EPP/EDR systems under Windows OS. Through Strong-IT, he has also been able to work with the well-known company AV-Comparatives.