Two of the simplest forms of evasion are surprisingly effective against EDRs. By Dan Goodin @dangoodin001 - August 30, 2022
This is a bit of old news, but still quite shocking! And too bad that the names of these companies are not revealed! Remember that the only reason why Win Defender has been improved on Windows is because M$ wanted a piece of the very lucrative EDR market pie. But it's ridiculous that certain EDR's can be bypassed this easily! No wonder that so many attacks on companies are so succesful. I also have to critizice the Windows OS design, which makes this possible in the first place. But it's no excuse that developers of these EDR's are apparently not aware of these design errors.
I dunno how those EDR solutions were tested? For example, McAfee Endpoint Security, by default, sure uses default settings which are crap. Or course it is an admin(s) job to tighten your fav EDR solution. For example, for me, i took about two weeks to "tune" my Mcafee Endpoint Security for my environment. After reading hundreds of pages of McAfee Endpoint "Best Practices", forum posts, youtube videos i'm pretty happy what i accomplished. Was it worth? Yes it was, i've learned a alot, which is always a good to learn something new.
This is weird as hell! Perhaps I had a blackout or something, but I can swear that a couple of days ago I read that the researchers didn't want to mention the name of the tested EDR's? But anyway, shame on Microsoft, SentinelOne and Symantec, all this bragging and boasting about how they can stop most attacks, but completely oblivious against relative simple bypassing methods. I'm guessing that it doesn't matter what settings you are using in the EDR, since they simply fail to spot certain bypassing methods.
Speaking of bragging and boasting, I came across this test where SentinelOne beats Win Defender ATP when it comes to protecting companies against the Carbanak and FIN7 hacking group, pretty interesting video: https://assets.sentinelone.com/c/microsoft-vid?x=u6040P&lx=wPviVP
BTW, I came across Morphisec who blatantly claims that 30% of all EDR's get bypassed. I wouldn't be surprised if this is true since so many companies get hacked. Morphisec makes use of what they call MTD, see links for more info. It sounds very interesting, and I wonder if anyone else is using the same technology. I do know that HMPA has a feature that will make malware think they are running in a VM, but I believe this is not quite the same. https://www.morphisec.com/moving-target-defense https://blog.morphisec.com/business-ransomware-protection-edr
