1、#SECTORCA BlackHatEventsEDR Bypass Testing#SECTORCA BlackHatEventsWHOAMI#SECTORCA BlackHatEventsMotivation EDR is effective EDR is vulnerable EDR is a target Bypass attempts are a high-fidelity signal#SECTORCA BlackHatEventsQuick DistinctionAV Evasion/Pre-Execution Evasion Defeat signature/static/dy
2、namic AV scanners Most often tied to initial access techniquesEDR Bypass/Detection Evasion Defeat behavioral,telemetry,or runtime monitoring Once execution begins or attacker has foothold#SECTORCA BlackHatEventsAssumptionsAttacker has:Initial foothold(remote)Local admin privileges Interactive GUI/re
3、mote shell/admin tools#SECTORCA BlackHatEventsSecurity BoundariesUser to kernel(enforced by OS)PPL(enforced by OS)Tamper protection(enforced by EDR)Local admin to kernel NOT a security boundary#SECTORCA BlackHatEventsStopping EDR KillersSecure BootHVCISigned WDAC PolicyMicrosoft Recommended Driver B
4、lock Rules#SECTORCA BlackHatEventsWhats Next?#SECTORCA BlackHatEventsEDR Attack Surface&Surveyor Tool#SECTORCA BlackHatEventsEDR Attack SurfaceLarge attack surface across various componentsUser mode/kernel modeServices,Drivers,GUI Applications#SECTORCA BlackHatEvents13 Core Data Collection Categorie
5、s#SECTORCA BlackHatEventsProcess EnumerationCollection Methods Basic Enumeration:CreateToolhelp32Snapshot()+Process32FirstW/NextW()Enhanced with Driver:Kernel-level process enumeration for accurate PPL detection WMI Integration:Command line arguments,session IDs,performance counters Module Analysis:
6、EnumProcessModules()+GetModuleFileNameExW()EDR Attack Surface Relevance PPL Bypass Requirements:Critical for understanding which processes are protected Injection Target Analysis:Identifies suitable processes for code injection Signature Validation:Understanding trust chains and unsigned process det