Most endpoint detection and response systems
in the market are vulnerable to two simple bypass methods, especially when used simultaneously, reports Ars Technica
Popular EDRs from Microsoft, Symantec, and SentinelOne could be evaded using the first method, which circumvents the hook function to directly call the kernel system, an SRLabs report showed. While such a technique could still spark suspicion among some EDRs, the second method, which involves the utilization of hooked functions' fragments to restrict hook triggers, was also effective in bypassing all of the EDRs without triggering suspicion, according to researchers. Using each of the bypass techniques showed that one of the EDRs did not recognize Cobalt Strike and Silver malware within an .exe and .dll file, while the other two were unable to identify .dll file samples using either technique.
"Overall, EDRs are adding about 12 percent or one week of hacking effort when compromising a large corporation judged from the typical execution time of a red team exercise," wrote SRLabs Chief Scientist Karsten Nohl.