This presentation examines the alarming rise in sophisticated malware specifically designed to disable Endpoint Detection and Response (EDR) systems. Neutralizing the defense is a critical phase in modern multi-staged attacks that allows threat actors to operate undetected.
Based on incident response encounters we observed that threat actors use a wide variety of EDR evasion techniques. We can categorize these approaches into three major tiers: publicly available tools from open repositories like Github (e.g., Backstab, EDRSilencer, EDRSandBlast); repurposed components of legitimate security software (TDSSKiller, GMer, Huorong HRSword, Comodo Killswitch); and the custom-built solutions like AuKill and EDRKillShifter.
Each category presents unique defensive challenges—while custom solutions can be freely detected, repurposed legitimate software requires more nuanced approaches to avoid false positives and industry backlash. Yet, we have to handle those situations as well.
Our defensive methodology implements multiple protection layers that leverage contextual information, event timelines, and environmental factors. We combine static detections, behavioral protection, and reputation systems into meta-detections that correlate seemingly benign events to identify and block sophisticated attacks.
The presentation provides an insider's view of this ongoing security cat-and-mouse game, featuring real-world case studies that demonstrate our defensive strategies against various EDR killer types. Security professionals will gain practical insights into identifying and mitigating these critical threats that often precede major security breaches.