Arsenal: Bypass EDR’s/XDR’s and make malware analysis harder

In this blog, I am going to explain multiple techniques to bypass AV/EDR/XDR security solutions. As a red teamer and security guy, I always try to explore new methods and approaches to bypass security controls. My work is related to offensive security, “Offense is the best defense”. This blog is definitely going to help the red team as well as the blue team.

Today I am going to make a defense evasion arsenal which is using direct syscalls, sandboxes bypass techniques, Strong encryption and random procedure names to bypass AV/EDR’s. I will also explain the method to bypass Outflank well-known tool Dumpert. Dumpert used direct syscalls to bypass security controls such as AV/EDR’s user-land hooking and create memory dumps. Because Dumpert is well-known and open-source tool most of the AV/EDR’s updated the signature. In my homework, when I compiled Dumpert after touching the disk Microsoft Defender detected it. So instead of changing signature of Dumpert, I decided a different way to bypass it statically as well as dynamically. Before explaining the techniques, Let’s talk about Widows APIs and Native APIs. I am not going to explain it very deeply because I have already explained the flow of APIs in my previous blog post.

AV/EDR Evasion Using Direct System Calls (User-Mode vs kernel-Mode)
Modern AVs and EDRs use a variety of approaches to accomplish both static and dynamic analysis. They can examine many…medium.com

Applications in Windows run in user-mode and to perform operations applications call Windows APIs. Native APIs located in (ntdll.dll) are the last instance which can be monitored by AV/EDR’s security solutions. Let’s take an example of Simple malware which is doing process injection using Windows API calls such as VirtualAllocEx, WriteProcessMemory, CreateRemoteThread. These APIs further interact with alternative API calls which is located in ntdll.dll. Functions located in ntdll.dll are set of assembly instructions to call the system level calls in kernel. Most of the AV/EDR’s hooked on Native API’s and redirect the flow of program whenever an application calls this function in order to see the malicious behavior of program. When new process spawned EDR’s load their DLLs in process memory to inspect the behavior of program.

Defense Evasion Arsenal

Direct syscalls is always hot topic for red teamers. In my arsenal, I used direct syscalls to bypass user-mode hooking of AV/EDR. I also used some techniques which will make malware analysis harder. When we open binary with IDA-pro or binary parser statically and using string search we can tell this binary is doing such task. To make static analysis hard, I used different techniques.

PART 1

I divided my work into two parts. First part will explain the syscalls with native API functions name and second time I used random names in my implant in order to make static analysis hard. Let’s discuss our preparation for defense evasion arsenal.

Firstly, I created ASM/H pairs using SysWhispers2. SysWhispers2 use random functions name every time and resolve syscalls dynamically. In this picture, you can see created assembly file of syswhisper2. Function hash is used by global variable and resolving syscalls accordingly. The name of procedures is same as Native API calls. Although this approach bypass AV/EDR user-land hooking but I realize that If I use these names in my implant Windows defender or other security controls can catch my binary in static or heuristic analysis.

Defined Procedures

You can see this resolve the function hash into syscalls and make the call.

Functions to resolve direct syscalls numbers

I wrote a code into C++ which is using direct syscalls. In my part 1, I used same name in my code and performed static analysis using IDA-PRO.

Calling with same names as ntdll.dll defined

After analysis of my implant statically in IDA-PRO, I can clearly see the native calls which indicate the behavior of my binary. Malware analysts can easily understand that this binary is doing injection in process. Because this combination is used by malware developers to perform process injection.

STATIC ANALYSIS (API CALLS)

Although, I am using direct syscalls and this technique bypasses most of the AV/EDR’s still I want to make my implant more stealthy and harder to analyze. I used AES encryption in order to bypass static analysis; I am using well-known tool MSFvenom to create shellcodes which are highly detected by AV/EDR’s. So, I encrypted my shellcode using AES encryption.

AES Decryption in C++

Apart from encryption, I also used three sandboxes bypass techniques one is checking size of ram others are checking processing speed and core processors. You can change number of cores and size of ram accordingly, I am using 8gb ram condition in my code. If size of ram is less than 8 programs will exit here.

Sandboxes bypass techniques

PART 2

As I mentioned above in part 1, I am using random procedures and functions name to make it stealthier. This time, I changed the procedures names and also changed the prototype names. Native APIs are undocumented, but you can easily find prototypes for them.

Random Procedures Names

RANDOM NAMES IN PROTOTYPES

You can see this time I used random functions names in my implant. I am doing this thing to make static analysis harder for malware analysts and also in future AV/EDR’s can catch my binary on these functions’ names and signatures.

Random functions names

Difficult to understand

No Imports and String Searches

I tested these techniques on windows 11 against Microsoft Defender, MacAfee and Kaspersky but no one was able to detect my implant. I was able to bypass static and dynamic analysis of these security controls.

Windows Defender Bypassed

I injected my payload into explorer.exe. You can see my payload in memory address in explorer.exe which is RWX.

Payload in explorer.exe

I also checked my binary on antiscan.me to check the detection rate of these techniques. But my binary was fully undetectable.

https://antiscan.me/scan/new/result?id=DpzbbuU1wnXV

By using direct syscalls, sandboxes bypassing techniques, strong encryption and random procedures names I was able to bypass EDR/XDR detection. Now in my last part, I also want to explain the method which can be used to bypass Dumpert tool created by outflank.

BYPASS DUMPERT TOOL (OUTFLANK)

Outflank created a very amazing tool which used direct syscalls to create memory dumps but due to open source almost every AV/EDR’s updated the signature of Dumpert. Instead of changing the signature, I used another easy way to bypass it. This technique really works, and you will see the amazing results.

Firstly, I created independent shellcode of Dumpert into raw form using tool Donut created by TheWover. You just need simple command in order to convert Dumpert.exe into raw shellcode.

Convert EXE into Shellcode

So, in order to bypass static analysis of Dumpert I am doing in-memory execution. Dumpert itself uses direct syscalls to create memory dumps but I also created my Injector which will load Dumpert shellcode into remote process. This loader is using the same techniques which I have already mentioned above.

Execution of Dumpert using Process Injection

Memory Dumps

This technique is also bypassing AV/EDR’s because I used direct syscalls in my injector to bypass user-mode hooking of AV/EDR’s.

CONCLUSION

Direct syscalls is mostly used by red teamers and attacker to bypass user-land hooking of security controls. But in this blog, I also explained the other techniques which can be used to make implants stealthier and more undetected. I also explained the method to bypass well-known tool Dumpert. In my upcoming blogs, I would love to add more stealthy techniques to make it stealthier.