My learnings on how the different steps in EDR and Antivirus techniques are used in the field.
In this series, I will explore the techniques used in the field to bypass Antivirus and EDR systems. I am new in this field and the best way to start is to read, implement, and understand the subject, instead of immediately going to the advanced techniques. I like to start at the beginning and take you with me in exploring the techniques currently used in the field. Therefore we will start with Windows (native) api’s. Specifically this blog will go into depth on 3 items:
Note the following items will be detected by almost all EDR’s. This series gives hopefully a better insight into the basics and the foundation of Windows. In the next chapters, we will dig deeper and deeper into the subject. In the end, I see it as a possibility to share my experience and “research” with the community and create some useful documentation for myself that I can reference in the future.
Before we can explain how antivirus and EDR’s could be evaded by making use of system calls it is good to understand what a system call is.
In one sentence:
A system call is a programmatic instruction that allows a temporary transition from user mode to kernel mode.
Before we delve deeper I think it is first important to take a step back even further and understand what user mode and kernel mode means.
A processor in a computer running Windows has two different modes: user mode and kernel mode.
The processor switches between the two modes depending on what type of code is running on the processor. Applications run in user mode, and core operating system components run in kernel mode. While many drivers run in kernel mode, some drivers may run in user mode.