{"id":10428,"date":"2023-05-29T15:25:00","date_gmt":"2023-05-29T14:25:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/edr-bypassing-via-memory-manipulation-techniques\/"},"modified":"2023-05-29T15:25:00","modified_gmt":"2023-05-29T14:25:00","slug":"edr-bypassing-via-memory-manipulation-techniques","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/fi\/resurssit\/w-labs\/edr-bypassing-via-memory-manipulation-techniques\/","title":{"rendered":"EDR bypassing via memory manipulation techniques"},"content":{"rendered":"\n
\n
\n

\n EDR bypassing via memory manipulation techniques<\/span><\/h1>
\n
\n \n \n Attack Detection <\/span>\n \n Endpoint Security <\/span>\n <\/span>\n \n 29.05.2023 <\/span>\n <\/div>\n <\/div>\n <\/div>\n
\n
\n

\n Jaa t\u00e4m\u00e4 <\/p>\n

\n \n \n
\n
\n
\n \"\" <\/figure>\n <\/div>\n <\/div>\n<\/section>\n\n\n\n
\n
\n
\n

\n Authors <\/p>\n \n

\n
\n
\n \n \n <\/path>\n <\/path>\n <\/svg>\n <\/span>\n <\/div>\n
\n

Connor Morley<\/h3>\n \n \n <\/div>\n\n<\/div>\n\n <\/div>\n\n <\/div>\n
\n

\n Download report <\/p>\n \n

\n
\n \n Download report
\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations. This success is a problem for attackers, and malicious actors have worked to find new ways to evade EDR detection capabilities. As with all arms races, these approaches to evading detection are creative and effective. One of the primary methods utilized in modern attack frameworks, hands on keyboard operations and even malicious binaries revolves around memory manipulation.<\/p>\n

Memory manipulation is nothing new; most readers will be familiar with process injection, thread hijacking, process hollowing and so on. That said, some recent tools\/techniques are focused less on deployment and more on circumventing EDR telemetry acquisition techniques or alerting mechanisms. Elaborate hooking and exploitation of native functionality is now employed with impressive success rates.<\/p>\n

This paper is broken down into three parts; the first will explain some of the memory techniques readily used by attackers to avoid detection in today\u2019s landscape, and will explain how they work and why they may be chosen. The second and third parts will focus on methods to detect the utilization of such covert mechanisms, where telemetry for detection may be acquired, and some of the difficulties that may be encountered during the integration of these solutions.<\/p>\n<\/div>\n\n

\n
\n

\n Share this story <\/p>\n

\n \n \n
\n
\n
\n
\n

\n What next?<\/span><\/h2>
\n
\n

Discover WithSecure\u2122 Elements Exposure Management.
\n– No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n Contact us<\/a> <\/div>\n <\/div> <\/div>\n <\/div>\n<\/section>\n\n\n\n\n\n
\n
\n

\n Related Labs content<\/span><\/h2>
\n
\n
\n

Find related content relating to this topic.<\/span><\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div> \n

\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n

On 4th August 2023, WithSecure Detection and Response Team (DRT) received an alert regarding spoofed process injection with abnormal memory characteristics on a host belonging to a WithSecure Countercept MDR customer.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Software Protection<\/span>\n Threat intelligence<\/span>\n <\/div>\n <\/div>\n

Reverse engineering a Lumma infection<\/h3>\n

Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n
\n
\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n AI security<\/span>\n Attack Detection<\/span>\n Software Protection<\/span>\n <\/div>\n <\/div>\n

Machine learning-driven malware analysis<\/h3>\n

With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div> <\/div>\n <\/div>\n
\n
\n <\/div>\n
\n
\n

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[302,326],"labs_content_type":[327],"class_list":["post-10428","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-endpoint-security"],"acf":[],"card":"

\n
\n \"\"

W\/Labs<\/p>\n <\/div>\n

\n
\n
\n Attack Detection<\/span>\n Endpoint Security<\/span>\n <\/div>\n <\/div>\n

EDR bypassing via memory manipulation techniques<\/h3>\n

Endpoint Detection & Response systems (EDR), delivered by in-house teams or as part of a managed service, are a feature of modern intrusion detection and remediation operations.<\/p>\n

\n Lue lis\u00e4\u00e4<\/a> <\/div>\n <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item\/10428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/media?parent=10428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/categories?post=10428"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/fi\/wp-json\/wp\/v2\/labs_content_type?post=10428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}