The provided transcript outlines a multi-step demonstration of EDR (Endpoint Detection and Response) evasion techniques targeting a system running Microsoft Defender. The process begins with reconnaissance on host 75l65b1 (IP 172.16.166.132), followed by downloading malicious code from a trusted GitHub URL directly into the computer’s memory using PowerShell to avoid network-based detection. Subsequent steps involve patching the system to bypass AMSI (Anti-Malware Scan Interface) and ETW (Event Tracing for Windows), which effectively stops Windows from logging events and scanning the malicious memory-resident code.
During the payload execution phase, DNS tunneling malware is inserted into memory and executed, initiating Command and Control (C&C) communication with a remote server. Throughout the entire operation, Microsoft Defender continues to report that it is functioning normally with no alerts generated. However, the Lumu platform identifies the anomaly immediately, detecting 255 accessed records and specific subdomains used for data encoding. The attack concludes with the server gaining total access to the compromised machine’s desktop and task list, maintaining persistence while the built-in antivirus remains unaware of the intrusion.
Takeaways
- Memory-Resident Execution: Malicious code was downloaded from a trusted URL (GitHub) directly into memory using PowerShell to bypass standard disk-based scanning.
- Detection Interface Bypassing: The attackers implemented patches to bypass both AMSI (Anti-Malware Scan Interface) and ETW (Event Tracing for Windows) to prevent event logging.
- Stealthy C&C Communication: DNS tunneling was utilized for Command and Control communication, allowing the server to gain total control over the host without triggering antivirus alerts.
- Internal vs. External Visibility: While Microsoft Defender showed no signs of infection, the Lumu platform detected 255 records and specific subdomain anomalies in real time.
- Post-Exploitation Access: The successful evasion allowed the attackers to access the victim’s desktop, view the task list, and potentially exfiltrate data or install further malware.
