Jeanpascal.thomas@orangecyberdefense.com

Filter-Mute Operation: Investigating EDR Internal Communication

28 July 2023 ~14 min By jeanpascal.thomas@orangecyberdefense.com

Edr Kernel Reversing Windows Av Bypass Reverse Engineering

For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a Windows driver and its user-mode process. Here are some details about that journey. TL;DR Attackers could use Windows kernel R/W exploit primitive to avoid communication between EDR_Driver.sys and its EDR_process.exe. As a result some EDR detection mechanisms will be disabled and make it (partially) blind to malicious payloads. This blogpost describes an alternative approach which doesn’t remove kernel callbacks and gives some recommendations for protecting against this “filter-mute” attack.

Edr
Kernel
Reversing
Windows
Av Bypass
Reverse Engineering

Page 1 of 1