EDR detection mechanisms and bypass techniques with EDRSandBlast - Thomas Diot, Maxime Meignan

EDR detection mechanisms and bypass techniques with EDRSandBlast

Thomas Diot, Maxime Meignan

EDRSandBlast is a tool written in C that implements and industrializes known as well as original bypass techniques to make EDR evasion easier during adversary simulations. Both user-land and kernel-land EDR detection capabilities can be bypassed, using multiple unhooking techniques and a vulnerable signed driver to unregister kernel callbacks and disable the ETW Threat Intelligence provider. Since the initial release, multiple improvements have been implemented in EDRSandBlast: it is now possible to use this toolbox as a library from another attacking tool, new bypasses have been implemented, the embedded vulnerable driver is now interchangeable to increase stealthiness and the use of a pre-built offsets database is no more required! Come discover our tool and its new features, learn (or teach us!) something about EDRs and discuss about the potential improvements to this project.

Thomas Diot (Qazeer) is a security consultant at Wavestone, an independent French consulting firm. His work involves a mix of penetration testing, Red / Purple Teams engagements, and Incident Responses with Wavestone CERT-W. Thomas enjoys practicing and improving his skills by playing in CTFs, developing tools, and working on various security projects.

Maxime Meignan (@th3m4ks) is a security consultant at Wavestone, based in Paris, since the middle of the last decade. Loving to reverse engineer binaries in both professional and CTF contexts, Maxime has an IDA sticker on the back of his smartphone. And writes this uninteresting fact in his bio. He is currently interested in various fields of security, related to EDR software, Windows internals and Virtualisation Based Security.