ANALYSIS OF THE WAYS OF BYPASSING THE TOOLS FOR THE THREATS PREVENTION AND RESEARCHING COUNTERING METHODS
DOI:
https://doi.org/10.18372/2310-5461.62.18705Keywords:
АРТ, EDR, antivirus, threat detection, cybersecurity, defense evasion, LOLBAS, SysmonAbstract
This study examines the evasion techniques employed by Advanced Persistent Threat (APT) groups that bypass traditional defenses such as antivirus software and endpoint detection and response (EDR) systems. The focus is on techniques such as obfuscation, encryption, and exploitation of security tool vulnerabilities, which have been identified as significant challenges to effective threat detection. It examines how attackers use Living Off The Land Binaries and Scripts (LOLBAS) to manipulate built-in system tools for stealth attacks, seamlessly combining malicious activity with legitimate processes to avoid detection. The role of security information and event management (SIEM) systems in improving detection capabilities is also discussed. SIEM systems stand out for their ability to collect and analyze security data across a network, providing a holistic view that helps to identify potential threats and breaches early, thereby strengthening an organization's security posture. Vulnerabilities in EDRs and antivirus solutions themselves are analyzed, showing how they can be exploited to disable or bypass these critical protections, leaving systems vulnerable. In addition, the development of malware generators using machine learning techniques is discussed. These tools, which are capable of creating adaptive malware designed to bypass current security measures, are recognized as marking a complex evolution in offensive capabilities. To combat these threats, a comprehensive security strategy is proposed that incorporates the concepts of zero trust, defense in depth, and the principle of security enhancement. According to the zero-trust model, all access requests, regardless of their origin, must be strictly verified. Defense-in-depth is characterized by the implementation of multiple layers of security in the IT environment, while the principle of hardening focuses on strengthening systems and applications to reduce vulnerabilities and the number of attack vectors.
References
LOLBAS..lolbas-project.github.io..URL: https://lolbas-project.github.io/. (access data 14.05.2024)
Mitre Enterprise Matrix. attack.mitre.org. URL: https://attack.mitre.org/matrices/enterprise/ (access data 14.05.2024)
Talha Ongun, Jack W. Stokes, Jonathan Bar Or, Ke Tian, Farid Tajaddodianfar, Joshua Neil, Christian Seifert, Alina Oprea, and John C. Platt (2021). Living-Off-The-Land Command Detection Using Active Learning. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (RAID '21). Association for Computing Machinery, New York, NY, USA, 442–455. https://doi.org/10.1145/3471621.3471858
Stamp, Ryan. (2022). Living-off-the-Land Abuse Detection Using Natural Language Processing and Supervised.Learning. https://doi.org/10.48550/arXiv.2208.12836
Kozák, Matouš & Jureček, Martin. (2023). Combining Generators of Adversarial Malware Examples to Increase Evasion Rate. https://doi.org/10.48550/arXiv.2304.07360
Afianian, Amir & Niksefat, Salman & Sadeghiyan, Babak & Baptiste, David. (2018). Malware Dynamic Analysis Evasion Techniques: A Survey. https://doi.org/10.48550/arXiv.1811.01190
Aminu S. A., SufyanuZ., Sani T., & IdrisA. (2020). Evaluating the effectiveness of antivirus evasion tools against windows platform. Fudma journal of sciences, 4(1), 112 - 119. URL: https://fjs.fudutsinma.edu.ng/index.php/fjs/article/view/27
Ping Chen, Christophe Huygens, Lieven Desmet, Wouter Joosen (2016). Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. pp.323-336, ff10.1007/978-3-319-33630-5_22ff. ffhal-01369566f
Russinovich M. (2015). Malware Hunting with the Sysinternals Tools. RSAConference-2015: Presentation, San Francisco, 20–24 April 2015.
Karantzas G, Patsakis C. (2021). An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors. Journal of Cybersecurity and Privacy. 1(3):387-421. https://doi.org/10.3390/jcp1030021
Advanced Threat Protection Test 2023 – Enterprise. av-comparatives.org. URL: https://www.av-comparatives.org/tests/advanced-threat-protection-test-2023-enterprise/. (access data 14.05.2024)
Vijayan J. For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers. darkreading.com..URL: https://www.darkreading.com/vulnerabilities-threats/cyberattackers-popular-edr-tools-destructive-data-wipers. (access data 14.05.2024)
CVE-2022-44721 Crowdstrike Falcon Uninstaller. github.com.URL: https://github.com/gmh5225/CVE-2022-44721-CsFalconUninstaller. (access data 14.05.2024)
Discovering Zero-Day Vulnerabilities in McAfee Products | mr.d0x. Security Research | mr.d0x. URL: https://mrd0x.com/discovering-mcafee-products-zero-day-vulnerabilities/ (access data 14.05.2024)
Modern EDR Design Issues: Bypassing ETW-Based Solutions. Firmware Security | Supply Chain Risk Management | BINARLY. URL: https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions. (access data 14.05.2024)
GitHub - Tylous/ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass. GitHub.URL:https://github.com/Tylous/ScareCrow (access data 15.05.2024)
GitHub-Tylous/Ivy:GitHub..URL: https://github.com/Tylous/Ivy. (access data 15.05.2024)
Shellter | AV Evasion Artware. Shellter | AV EvasionArtware.URL:https://www.shellterproject.com/. (access data 16.05.2024)
GitHub - r00t-3xp10it/venom: venom - C2 shellcode generator/compiler/handler. GitHub. URL: https://github.com/r00t-3xp10it/venom. (access data 15.05.2024)
Журавчак, Д., Глущенко , П., Опанович , М., Дудикевич , В., & Піскозуб , А. (2023). Концепція нульової довіри для захисту Active Directory для виявлення програм-вимагачів. Кібербезпека: освіта, наука, техніка, 2(22), 179–190. https://doi.org/10.28925/2663-4023.2023.22.179190
Opanovych, M. (2024). Enhancing Active Directory Security Monitoring with Sysmon. The Science of Tomorrow: Innovative Approaches and Forecasts. (pp. 60-64). Futurity Research Publishing.
