The ingenuity of malware substitution: Bypassing next-generation Antivirus

Ellahi, Osama; Shah, Munam Ali; Rana, Muhammad Usman

doi:10.23919/icac50006.2021.9594221

Cited by 2 publications

(1 citation statement)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This capability is distinct from detecting malicious use of Windows API function calls via function hooking, as is described in Section II of this paper. Some example publications we identified in the past four years on bypassing anti-virus/EDR systems using a variety of techniques are from Genc et al [14] with controlling mouse and keyboard inputs in a novel way, Ellahi with C# memory manipulation [15], Ajmal et al [16] with process injection techniques, and Chatzoglou et al [17] with code obfuscation and other techniques. One final note is that these example publications illustrate "bypassing" anti-virus/EDR systems by achieving a no-alert result rather than overt tampering and prevention of alerting that the research in this paper focuses on.…”

Section: Related Workmentioning

confidence: 99%

Effects of Removing User-Land Hooks in Endpoint Protection During Attack Experiments

Lewis,

Rimal

2024

IEEE Access

View full text Add to dashboard Cite

This paper conducts research on current-generation Endpoint Detection and Response (EDR) solution design that identifies fundamental gaps in the prevention and detection of malicious cyber techniques. These fundamental gaps are the result of using "user-land hooks" or "user-mode hooks" into user and system processes as the sole mechanism to detect malicious cyber activity on endpoints (workstations and servers). When these user-land hooks are removed from processes, the EDR solution no longer has visibility into any actions an attacker may take within a compromised process (lateral process access, memory reads/writes, network connections, etc.). Through extensive experiment design and thorough experimentation with an example open-source EDR solution, this paper illustrates that if user-land hooks are removed from a process, attackers can execute typical techniques and chains of techniques without being detected in both initial exploitation and post-exploitation categories of techniques. Experimentation under baseline conditions illustrates that the example EDR solution only detects 1/6 techniques in the developed attack chain. Experimentation under evasion conditions, where user-land hooks are removed, illustrates that the example EDR solution detects 0/8 techniques in the developed attack chain. These results are significant in the industry because current-generation EDR solutions are often trusted indiscriminately within organizations due to their advertised capabilities for detecting in-memory attack techniques. This paper proves that any system running an EDR solution with similar design characteristics and configurations could be affected by these fundamental gaps that allow attackers to maneuver in and out of a system without being detected.INDEX TERMS API hooking, ATT&CK, ATT&CK technique experimentation, EDR, endpoint detection and response, endpoint protection, MITRE ATT&CK, user-land hooks, and Windows API hooking.

show abstract

Section: Related Workmentioning

confidence: 99%

Effects of Removing User-Land Hooks in Endpoint Protection During Attack Experiments

Lewis,

Rimal

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

et al. 2022

View full text Add to dashboard Cite

Cyber-attacks on financial institutions and corporations are on the rise, particularly during pandemics. These attacks are becoming more sophisticated. Reports of hacking activities against government and commercial sector organisations have garnered a lot of attention in the last several years. By design, the focus of Cyber Threat Intelligence (CTI) is exclusively defensive. This is because most of the CTI-derived analysis output is intended to prevent breaches or facilitate early detection. So, there is a need to have a new mechanism for unmasking the attacker. In this research, we demonstrate cyber threat intelligence enrichment with counterintelligence and counterattack combined with certain new methods to exploit the adversary's vulnerability and fully control the attacker's system. Attackers use a VPN to establish an anonymous connection. A VPN creates a secure "tunnelling" to the internet, with the VPN server acting as a middleman between the attacker and the web. This provides anonymity because the attacker's IP address seems to be that of the VPN rather than his own, masking the IP address. So, hackers used this application to create persistence because it is automatically launched each time a computer is restarted. As a result, we are attempting to eliminate the persistence by removing it from the startup and registry. This research will help firms detect and identify an assault in its earliest phases, allowing them to respond accordingly. This project will develop new and innovative strategies to bypass VPNs and other security measures in order to obtain correct source information. Companies will be able to identify new methods by which their systems are penetrated and rapidly harden them. Using counterattack and counterintelligence, a proposed technique can bypass a VPN and get adversarial intel. The main goal of this research is to find the attacker's footprints or tracks and find out why the attack was planned in the first place.

show abstract

The ingenuity of malware substitution: Bypassing next-generation Antivirus

Cited by 2 publications

References 11 publications

Effects of Removing User-Land Hooks in Endpoint Protection During Attack Experiments

Effects of Removing User-Land Hooks in Endpoint Protection During Attack Experiments

Offensive Security: Cyber Threat Intelligence Enrichment With Counterintelligence and Counterattack

Contact Info

Product

Resources

About