If you are a Harry Potter fan, you know the Study of the Dark arts is appealing. There’s something around the study of the Forbidden, the Taboo and the Dark arts that is highly interesting. In the context of Cyber Security the Dark Arts are commonly EDR Evasion, Evasive Malware, and Reverse Engineering.
Is EDR Effective? How Effective it is?
If you look into the history of Antivirus and EDR (Endpoint Detection and Response) a lot of statistics are thrown around without context. Most research papers that look into static analysis, or dynamic analysis claim high success rates through machine learning methods. Rates normally on the 97%+ Success Percentage. At the same time is common for Antivirus to reports success rate of 98%+.
If this is true, should be Cyber Crime and Malware version at their lowest point on time? However we see the amount of Cyber Crime and Malware to be on the All time High. The sources are Statista and AVTest which track this.
Mixed Results
The truth is somewhere in the middle. A lot of Outdated Systems are out there and large amount of Malware target outdated Systems via Exploit Kits. In fact for 2023 according to some Antivirus Vendors the majority of the Activity they saw were targeting Known Vulnerabilities that had fixes published from the vendors.
But theres another side to the story: Evasive Malware.
A lot of the Percentage Success Reported from Research Papers, are based on Comparative Studies to the “state of the industry”. VirusTotal is currently the gold standard for centralized MultiVendor Scanning with around 70 Scanning Engines to the time of this writing. However is very easy to report findings on Older Malware strain what we are now able to detect. The percentage of Evasive Malware at a given point on time is unknown and hard to measure.
AntiVirus Evaluation Labs (you could question their independence in the testing) usually throws in some newly written, never seen before Malware into the mix to make a dent on the 100% detection rate. However this samples have a few drawbacks:
- Samples are Written Usually on Known Evasive Techniques.
- Testers have limited time and energy to writing this samples
- Testers have discretionary on how much percentage this samples represent of their testing set.
You can see how the percentage of success, either by Academic Research or Independent Labs can be manipulated quite easily. Unfortunately I believe a lot of researchers are unaware of this fact.
The cat and mouse game.
Unfortunately, EDR is a traditional military race problem. A cat and mouse game.
- Attackers Devise a new method.
- New Method becomes Popular.
- New Method gets on the Radar of Defenders.
- New Method achieves Critical Mass.
- Defenders decide to incur in R&D Cost to squash new Method.
- Attackers have less luck for some time.
- Attackers Device a new method…
This is typical dynamic in Defense – Military Complex.
Someone could argue that the better Weapons and more defense, the Safer we would be in General. However both in Defense and in the Cyber Domain we see the opposite effect.
Why Evasive Malware (Adversary Simulation) ?
Sometimes your Engineers and Developers think they have secure their state and done their due diligence but they haven’t. Almost all defenders build a Threat Model in their head, and execute deffenses until they are satisfied. Red Teamers and Pen Testers are used to test those assumptions and through creative breakthrough find the weak spots, and drive maturity of a Security Platform.
However, EDR has become a more complex problem and nuisance in recent times. Most of the time in a Red Team Engagement you want to move past the EDR, to identify the Actual Weak Spots that you are going after.
It is this reason, why Evasive Adversary Simulation tools are needed for the modern pentester team. Disabling EDRs througout the environment requires cooperation with the Organization and would alter Human Behavior from the defenders.
Is Evasion Possible? Is it Hard?
It definitely has gotten “Harder” overtime. Although to objectively asses this is difficult. Attackers have never had so much experience, tooling and resources at their disposal so a comparison will likely not be a fair one.
It requires constant research. All Techniques have a certain shelf life. After some times, techniques stop been effective and they need to be altered, updated, or replaced for other more creative or alternative approaches. Still in general is doable because the techniques shelf life is in months not hours or days.
Some techniques are valid for much longer time. Specially the ones that target Design Flaws, where Manufacturer, stubbornly, refuses to accept it made a mistake during the design process.
The Saga
Given this, I will begin the work of exploring and documenting my journey into the Dark Arts o EDR Evasion.
rothoma2 Blog 
Leave a comment