DeepSec 2020 Talk: EPP/EDR – Unhooking Their Protections – Daniel Feichter
More and more we see in our penetration tests, that companies do not just rely on the traditional endpoint protection (EPP). Instead they began to add an additional EDR to the existing EPP or they use an EPP/EDR combination from different vendors like Microsoft, CrowdStrike, Endgame etc. Compared to EPP, an EDR is not designed for the prevention of malware, but for detection, response and hunting. EDR systems have a high process visibility at the endpoint. This makes it possible to conduct malware analysis based on the monitored behaviour. For that some EPP/EDR products under Windows rely on the technique API-Hooking. API-Hooking is a method to check executed code (via APIs) for malicious content by interception. For this purpose, the EPP/EDR software injects its own .dll into the address memory of a process. In