Advice Request FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking

Please provide comments and solutions that are helpful to the author of this topic.

[correlate]

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801
Introduction
During red team engagements, it is not uncommon to encounter Endpoint Defence & Response (EDR) / Prevention (EDP) products that implement user-land hooks to gain insight in to a process’ behaviour and monitor for potentially malicious code. Some great work has been done in bypassing these checks in the past, including from our friends at Outflank who demonstrated this using direct system calls (recommended reading, HT to @Cneelis). However, in this blog post we will illustrate a new, generic approach for circumventing user-land EDR hooks.
Click to expand...
 
  • Like
  • +Reputation
Reactions: oldschool, upnorth and Andy Ful

Similar threads

upnorth
    • +Reputation
    • Like
'Blindside' Attack Subverts EDR Platforms From Windows Kernel
Replies
0
Views
616
News Archive
upnorth
upnorth
Sandbox Breaker
    • Like
    • Applause
AWS SSM Agent can be used as a RAT
Replies
0
Views
1,036
News Archive
Sandbox Breaker
Sandbox Breaker
Andy Ful
    • Like
    • +Reputation
    • Thanks
Cybercrime Fantastic Rootkits
Replies
2
Views
1,052
Malware Analysis
ForgottenSeer 69673
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top