Edr bypass process

[pdyli]

Hey guys
i want to analyze and bypass Sophos edr and so i check it a little.
My question is do i have a checklist for that or just focus on one functionality of that such as unhooking?
It's the first time that i want to do it

I want to know how to approach that?

 

[Бафомет]

The main question is, what tool are you want to use for bypassing antimalware defenses, something coded by "who knows" or a tool that offers evasive options and capabilities made for evasion purposes?

After you answer that question, I think you should start reading something like this:

Unleashing the Unseen: Harnessing the Power of Cobalt Strike Profiles for EDR Evasion | White Knight Labs

In this blog post, we will go through the importance of each profile's option, and explore the differences between default and customized Malleable C2

whiteknightlabs.com

Study C/C++/Nim/Rust, any low level language will be great, learn how EDRs work, learn different methods to execute shellcode, obfuscation, encryption... From there you can go further and start on the journey.

Dodging the Guardian: How Malware Evades EDR Detections

How evasive malware is made, and how it bypasses EDR’s detections. Introduction to malware development.

medium.com

There is not a magic link/book/project, you must spend time reading the latest conferences, learning about windows internal, and showing interest for all the concepts that involves bypassing an antivirus or endpoint protection and response system.

Deep Sea Phishing Pt. 1

How to Bypass EDR With Custom Payloads

posts.specterops.io

My advice: DLL sideloading, retrieve shellcode from outside the binary/dll, decrypt in memory, don't use RWX permission, obfuscate commons strings, use a good malleable c2 that mimics chrome/teams or similar app with high HTTP traffic, use moneta and PE-Sieve to see if you are clean on memory, sleep times, metadata of the payload, check for debugers, anti sandbox, module stomping technique, indirect syscalls, steganography, etc...

https://docs.google.com/presentation/d/1FATzBCzp1nPhXFKdcj9M96Pl1fUjoxNGep6sQr6c-As/mobilepresent?slide=id.g2caf08d2d95_0_50

My advice, learn to code, at least build your own shellcode loader, from there you keep upgrading yourself. One day you will be living on Kernel, always think big

 

[pdyli]

Study C/C++/Nim/Rust, any low level language will be great, learn how EDRs work, learn different methods to execute shellcode, obfuscation, encryption... From there you can go further and start on the journey.

My advice: DLL sideloading, retrieve shellcode from outside the binary/dll, decrypt in memory, don't use RWX permission, obfuscate commons strings, use a good malleable c2 that mimics chrome/teams or similar app with high HTTP traffic, use moneta and PE-Sieve to see if you are clean on memory, sleep times, metadata of the payload...

My advice, learn to code, at least build your own shellcode loader, from there you keep upgrading yourself. One day you will be living on Kernel, always think big

Thanks for your advice, that was helpful

 

[Bimarck]

that was awesome dude , lots of respect

 

[god osiris]

I'm studying some way to use MPclient.dll to bypass Win Defender.
Maybe, you could get and study the Sophos DLLs then try to use them to bypass.
I really dont know how effective does it is but the idea is find out some feature offered by own Sophos DLLs.

 

[s0nus]

Hey guys
i want to analyze and bypass Sophos edr and so i check it a little.
My question is do i have a checklist for that or just focus on one functionality of that such as unhooking?
It's the first time that i want to do it

I want to know how to approach that?

You should understand how Sophos is detecting you/your payload, once you realize what is detecting your payload its more clear what you have to do in order to bypass it.

For a general knowledge of how to bypass x or y EDR, i recommend that you get a free trial at elastic, enable all rules and full prevention and see which rules your payload is triggering.

As Бафомет said, you can mimic another payloads that were successfully at bypassing EDR products, take a look at abuse[.]ch and virustotal[.]com.

 

[arey5322]

Looking for you advice guys. Is it possible to know/buy a list of IP addresses which belongs to particularly AV/EDR? How to know IP addresses which are used by servers of NORD32's antivirus for example....

 

[nyan]

Looking for you advice guys. Is it possible to know/buy a list of IP addresses which belongs to particularly AV/EDR? How to know IP addresses which are used by servers of NORD32's antivirus for example....

yes AS50881 etc. competent EDR vendors do networked and non-networked dynamic analysis in their sandbox tho, and by default everything is sent to the sandbox. it wont help u much. the only solution is better malware.

 

[arey5322]

yes AS50881 etc. competent EDR vendors do networked and non-networked dynamic analysis in their sandbox tho, and by default everything is sent to the sandbox. it wont help u much. the only solution is better malware.

First of all,
AS50881 - thanks for it
Will you kindly share other abbreviation such as AS50881 which belong to other products? I will be thankful....

 

[shook_1]

kleen scan to scan all your files, has a pretty accurate output...also check this out https://blog.deeb.ch/posts/how-edr-works/#edr-attacks

 

[nyan]

First of all,
AS50881 - thanks for it
Will you kindly share other abbreviation such as AS50881 which belong to other products? I will be thankful....

I can post later full ASN db, it goes /32 ipv4 CIDR notation when I find it on my infrastructure

 

[arey5322]

I can post later full ASN db, it goes /32 ipv4 CIDR notation when I find it on my infrastructure

Will be great