Effects of Removing User-Land Hooks in Endpoint Protection During Attack Experiments

Abstract

Read online

This paper conducts research on current-generation Endpoint Detection and Response (EDR) solution design that identifies fundamental gaps in the prevention and detection of malicious cyber techniques. These fundamental gaps are the result of using “user-land hooks” or “user-mode hooks” into user and system processes as the sole mechanism to detect malicious cyber activity on endpoints (workstations and servers). When these user-land hooks are removed from processes, the EDR solution no longer has visibility into any actions an attacker may take within a compromised process (lateral process access, memory reads/writes, network connections, etc.). Through extensive experiment design and thorough experimentation with an example open-source EDR solution, this paper illustrates that if user-land hooks are removed from a process, attackers can execute typical techniques and chains of techniques without being detected in both initial exploitation and post-exploitation categories of techniques. Experimentation under baseline conditions illustrates that the example EDR solution only detects 1/6 techniques in the developed attack chain. Experimentation under evasion conditions, where user-land hooks are removed, illustrates that the example EDR solution detects 0/8 techniques in the developed attack chain. These results are significant in the industry because current-generation EDR solutions are often trusted indiscriminately within organizations due to their advertised capabilities for detecting in-memory attack techniques. This paper proves that any system running an EDR solution with similar design characteristics and configurations could be affected by these fundamental gaps that allow attackers to maneuver in and out of a system without being detected.

Keywords

• API hooking
• ATT&CK
• ATT&CK technique experimentation
• EDR
• endpoint detection and response
• endpoint protection