This document discusses techniques for bypassing endpoint detection and response (EDR) systems using living off the land binaries and macros. It describes what telemetry EDR systems collect and common evasion techniques like using bitsadmin, certutil, and installutil to download files, encode payloads, and execute code. The document warns that these system utilities could be abused to evade detection if used atypically and provides examples of abnormal usage patterns that security teams should watch out for.

1. Fun with Macros!
And other sneaky tricks to avoid
detection...

2. ▪ SEC560 SANS Instructor
▪ Director, Incident Handling, Red Canary
▪ Nice guy
▪ Former radio broadcaster
Greg Bailey
Director, Incident Handling
RED CANARY
@GRBail
Presenter

3. What the heck is Endpoint Detection & Response (EDR)?
What telemetry is collected?
How do I bypass it?
Sneaky Macros!
Overview

4. WHAT IS?
Endpoint Detection
and Response (EDR)

5. https://blogs.gartner.com/anton-chuvakin/2013/07/26/named-endpoint-threat-detection-response/

6. Endpoint Detection Response (EDR) Vendors
THERE ARE LIKE
30 MORE BUT I
STOPPED AT TEN

7. Too
much?

8. Better?

9. Total Excitement!

10. WHAT DOES EDR COLLECT?
Telemetry

11. ▪ Process Telemetry (host, user, domain, proc, parent
proc)
▪ Network Telemetry (port, IP, protocol, bytes transferred)
▪ File Modifications (action, path, name, hash, type)
▪ Module Loads (time, name, path, hash)
▪ Registry Data (time, action path, value)
Windows Telemetry

12. ▪ Process Telemetry (host, user, proc, parent proc)
▪ Network Telemetry (protocol, port, IP, bytes transferred)
▪ File Modifications (action, time, path, name, SHA, type)
▪ Module Loads (time, name, path, SHA)
▪ Binary Metadata (signature, version)
Linux Telemetry A LOT of noise!

13. ▪ Process Telemetry (host, user, hash, proc, parent proc)
▪ Network Telemetry (IP, port, protocol, bytes transferred)
▪ File Modifications (action, path, name, hash, type)
▪ Binary Metadata (digital signature, file version metadata)
MacOS Telemetry Not a lot of
detection
capabilities!

14. THEY CAN SEE EVERYTHING!
What’s a Red Team to
do?

15. EVASION

17. If an EDR platform can’t see it, did it
actually happen?
Evasion Techniques

18. LIVING OFF THE LAND

19. LOLBins/LOLScripts

20. ▪ Be a Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
▪ Have extra "unexpected" functionality. It is not interesting to document
intended use cases.
▪ Exceptions are application whitelisting bypasses
▪ Have functionality that would be useful to an APT or red team
LOLBins/LOLScripts - Criteria
https://github.com/LOLBAS-Project/LOLBAS

21. Executing Code
▪ Arbitrary code execution
▪ Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
Compiling Code
File Operations
▪ Downloading
▪ Upload
▪ Copy
Persistence
▪ Pass-through persistence utilizing existing LOLBin
▪ Persistence (e.g. hide data in ADS, execute at logon)
LOLBin - functionality

22. UAC bypass
Credential theft
Dumping process memory
Surveillance (e.g. keylogger, network trace)
Log evasion/modification
DLL side-loading/hijacking without being relocated elsewhere in the
filesystem.
LOLBin - functionality

23. Bitsadmin
▪ download/upload jobs and monitor progress
▪ Pass-through execution of other programs (unsigned) or scripts (via a
LOLBin)
certutil
installutil
csc
LOLBin - Examples

24. If an EDR platform generates data in the
woods, do we see it?
Evasion Techniques

25. ▪ Bitsadmin is a LOLBin
▪ Certutil is a LOLBin
▪ InstallUtil is another LOLBin
Let’s Look at a few Techniques

26. ▪ create download or upload jobs and monitor their progress
bitsadmin
https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal

27. Alternate Data Streams
▪ Defense evasion or persistence
▪ Execute specific file in ADS
Download
▪ Download file from the internet
Copy
▪ Copy file
Execute
▪ Defense evasion
▪ Execute specified binary
bitsadmin abuse
Rob Fuller - @mubix
Chris Gates - @carnal0wnage
Oddvar Moe - @oddvarmoe

31. https://atomicredteam.io/
https://github.com/redcanaryco/atomic-red-team

34. How to Detect Malicious Behavior
Additional flags, processes
used for obfuscation
Look for /AddFile flag
Scheduled tasks for persistence

35. ▪ A Microsoft signed binary, used to obtain Certificate Authority
information and configure Certificate Services
certutil
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

36. Download
▪ Download file from the Internet
Alternate Data Streams
▪ Download file from the internet and save it in NTFS Alternate Data Stream
Encode
▪ Encode a file to evade defensive measures
Decode
▪ Decode files to evade defensive measures
certutil abuse
Matt Graeber - @mattifestation
Moriarty - @Moriarty_Meng
egre55 - @egre55

38. ▪ Just echo the encoded text and run certutil -decode
certutil
https://gist.github.com/mattifestation/47f9e8a431f96a266522

40. ▪ NORMAL = decoding actual .pem, .cer, or pfx cert files
▪ NOT NORMAL = writing malicious payloads (.exe, scripts, archives)
How to Detect Malicious Behavior
Look for “certutil” && “decode”
▪ May be launched from Office utilities, including:
○ Excel, Publisher, PowerPoint, Visio, Word, etc.

42. Download Files with certutil
Certutil can be used to get around application whitelisting controls. When
used in a malicious manner, it frequently has the -split option (used to
split the embedded ASN.1 element and save to disk).
Examples
certutil -urlcache -split -f [file URL]

44. ▪ A Microsoft signed binary used to install and uninstall resources by
executing specific .NET binaries.
installutil
https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
https://attack.mitre.org/techniques/T1118/

45. Application Whitelisting Bypass
▪ Execute the target .NET DLL or .EXE
Execute
▪ Execute the target .NET DLL or .EXE
installutil abuse
Casey Smith - @subtee

46. https://atomicredteam.io/
https://github.com/redcanaryco/atomic-red-team

50. ▪ NORMAL = used with /u option
How to Detect Malicious Behavior
Check chain of execution &
Child Processes
▪ May be launched from Office utilities, including:
○ Excel, Publisher, PowerPoint, Visio, Word, etc.

51. What on earth!
Here’s an Interesting
Thing!
We found a weird macro that was doing weird stuff

52. OLEVBA
Paul Michaud (@burning_pm)
https://github.com/decalage2/oletools/blob/master/oletools/olevba.py

53. Environ
Paul Michaud (@burning_pm)

54. RootDSE
Paul Michaud (@burning_pm)
Active Directory Service Interface (ADSI)

55. FEEDBACK
Q & A