{"id":3837,"date":"2016-09-19T23:47:16","date_gmt":"2016-09-19T23:47:16","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3837"},"modified":"2016-09-19T23:47:16","modified_gmt":"2016-09-19T23:47:16","slug":"redroviruses-whether-youre-a-av-or-whether-youre-a-edr-youre-stayin-alive-stayin-alive","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/09\/19\/redroviruses-whether-youre-a-av-or-whether-youre-a-edr-youre-stayin-alive-stayin-alive\/","title":{"rendered":"rEDRoviruses &#8211; Whether you&#8217;re a AV or whether you&#8217;re a EDR, You&#8217;re stayin&#8217; alive, stayin&#8217; alive&#8230;"},"content":{"rendered":"<p>EDR software is so hot right now. While AV is mainly focused on badness and silent detections\/reputation analysis, the EDR solutions log everything. Sooner or later this &#8216;everything&#8217; will cause trouble to bad guys and they will act on it. Interestingly, while killing AV doesn&#8217;t make that much sense (because it&#8217;s so afraid of triggering FPs), the nature and immaturity of EDR (and associated with it an omnipresent problem of dead agents) makes it actually a very easy target&#8230;<\/p>\n<p>Such kill-EDR, or at least anti-EDR , or perhaps even just detect-EDR (<a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/11\/07\/antiedr-samples-targeting-edr-endpoint-detection-and-response-solutions\/\">which already exists<\/a>) techniques are also important to offensive teams that will surely want to know about the EDR presence and &#8230; will try their best to bypass\/avoid it&#8230;<\/p>\n<p>It&#8217;s also important to remember that discussion of anti-EDR is very important for another reason. Most of AV is using anti-tampering technologies that prevent AV from being well&#8230; tampered with. EDR should follow these steps closely &#8211; otherwise, well&#8230; they will be tampered with too. And fundamentally, the more protection and attention is given to the security of EDR &#8211; the better. Think of the Project Zero blog that excels in killing bugs in a variety of software ranges &#8211; I don&#8217;t see any reason why they shouldn&#8217;t give it a try with EDR software&#8230;<\/p>\n<p>The following is a bunch of ideas that EDR vendors should look into to protect themselves against being shut down:<\/p>\n<ul>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc507878.aspx\">Blocking via Software Restriction Policies<\/a><\/li>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/ee424367(v=ws.10).aspx\">Blocking via AppLocker<\/a><\/li>\n<li><a href=\"https:\/\/blogs.msdn.microsoft.com\/mithuns\/2010\/03\/24\/image-file-execution-options-ifeo\/\">Blocking via Image File Execution Options<\/a>\n<ul>\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa826517(v=vs.85).aspx\">Stopping or blocking WMI<\/a>\n<ul>\n<li>Many agentless solutions relying on WMI may stop working<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/ee198684.aspx\">Disabling Windows Script Host<\/a> (and VBS\/JS) f.ex. via\n<ul>\n<li>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Script Host\\Settings\\Enabled<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows Script Host\\Settings\\Enabled\n<ul>\n<li>solutions using visual basic script will stop working &#8211; EDR relying on such a single Registry setting needs to ensure this setting is restored prior to execution of every script<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Disabling the Powershell<\/li>\n<li>Changing ACLs to directories\/Registry entries\n<ul>\n<li>Potentially preventing log writing, config updates, etc.<\/li>\n<\/ul>\n<\/li>\n<li>Modification of hosts files\n<ul>\n<li>Same old, same old&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Stopping\/disabling services\n<ul>\n<li>I won&#8217;t list service names, but they are easy to find<\/li>\n<\/ul>\n<\/li>\n<li>Analysis of kernel drivers of EDR solutions may help in finding new ways to escalate privileges<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>EDR software is so hot right now. While AV is mainly focused on badness and silent detections\/reputation analysis, the EDR solutions log everything. Sooner or later this &#8216;everything&#8217; will cause trouble to bad guys and they will act on it. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/09\/19\/redroviruses-whether-youre-a-av-or-whether-youre-a-edr-youre-stayin-alive-stayin-alive\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,52],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3837"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3837"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3837\/revisions"}],"predecessor-version":[{"id":3838,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3837\/revisions\/3838"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3837"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3837"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3837"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}