Came up with a new EDR bypass technique that makes it possible to block the EDR from loading its DLL into our process, preventing any user mode hooks from being deployed.
I've currently tested it with a few major EDRs, but it should theoretically work against most with only a few small tweaks.
https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
Marcus Hutchins :verified: /
npub1t5…338yv
2024-02-13 19:11:56
Author Public Key
npub1t5y3qpya5m4v4tv73yw447uglfsn7j44znv2d38m2xsrah4kpm0qt338yvPublished at
2024-02-13 19:11:56Event JSON
{
"id": "ac580176b4c4bb94898dce544dbfe91dc410a0077d3d15ebeeaa56417fe1c334",
"pubkey": "5d0910049da6eacaad9e891d5afb88fa613f4ab514d8a6c4fb51a03edeb60ede",
"created_at": 1707847916,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/malwaretech/statuses/111925521072706602",
"activitypub"
]
],
"content": "Came up with a new EDR bypass technique that makes it possible to block the EDR from loading its DLL into our process, preventing any user mode hooks from being deployed.\n\nI've currently tested it with a few major EDRs, but it should theoretically work against most with only a few small tweaks.\n\nhttps://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html",
"sig": "aa1cf4333f6e3b5474baa9fc9818744d83196d617f789c71b16c97cbc96b0255289446ddd5a57bbd56842c2144f2113ff5e0b2649c1789f826f93e20b32718ec"
}