The Good, the Bad and the Ugly of Advanced EDR Bypass Tool Frameworks
The rapid evolution in the ability of malware to circumvent advanced defence capabilities can partly be attributed to the extensive availability of openly-shared EDR-bypass techniques and PoCs, and red teaming tool frameworks. Threat actors conveniently employ these bleeding-edge approaches and tools as part of their TTPs at different stages of the attack chain to deliver their payloads either directly or as stagers to make it more subtle, thereby gaining remote, prolonged, undetected access to various parts of the target environment. It is far from trivial for our EDR solutions to keep pace with all these new-fangled delivery mechanisms and nefarious activities, but we can only attempt to do so if we are keenly aware of these capabilities via diligent, hands-on research.
Let us begin with the abuse of Bruteratel, an advanced red team and adversary simulation software and post-exploitation tool which has vast capabilities such as a built-in debugger to detect EDR hooks, support for exfiltration over multiple protocols, patching against AMSI, and Module Stomping. Bruteratel consists of a server component that is dubbed as the tool’s interface, and a client component known as “badger” which is the final payload for backdoor access.
Next, we have the infamous CobaltStrike that has been exploited by threat actors for years. This tool boasts extensive capabilities, including features like Indirect syscalls, sleep obfuscation, and spoofing call stacks with timers.
Next, we have the infamous CobaltStrike that has been exploited by threat actors for years. This tool boasts extensive capabilities, including features like Indirect syscalls, sleep obfuscation, and spoofing call stacks with timers.
Finally, another red teaming tool gaining popularity is Silver C2, which offers features like Compile-time obfuscation and In-memory .NET assembly execution.
While all these post-exploitation tools share some common functionalities, they are implemented uniquely.
In this presentation we will reveal the panoply of EDR-bypass techniques implemented in the above-mentioned post-exploitation tools based on our analysis of available versions. We will also rely on our investigations into real-world scenarios in which we have observed groups such as APT 29 utilise DLL sideloading techniques to inject post-exploitation payloads into Lolbins. Additionally, we’ll discuss the utilisation of Bumblebee, a loader known for deploying Silver C2 in compromised victim machines. We will also highlight how many ransomware groups have employed similar post-exploitation frameworks to ensure discreet access to compromised systems. Last, but not least, we will divulge which of the 3 tool frameworks is the Good, which the Bad, and which the downright Ugly.
Mr. Andrew Shelton L
Andrew Shelton Lotus Edison completed his Bachelor’s degree in Computer Science Engineering from Anna University, Chennai. In 2021, he began his professional journey as a Threat Researcher at K7 Computing’s Threat Control Lab. His primary job responsibilities involve reversing and writing detections for various malware, handling enterprise escalations as well as keeping up with the latest trends. Andrew is passionate about programming, malware analysis and reverse engineering, and his research findings are published on the K7 Threat Control Lab’s technical blog page. During his leisure time, he enjoys playing combat flight simulation games and traveling with his friends.