Black Hat 2024 Presentation Demonstrates EDR Evasion Techniques

The Black Hat 2024 presentation by Rex (CEO of Cominate) and Kong (founding security researcher) demonstrates how attackers can evade EDR (Endpoint Detection and Response) systems by mutating TTPs (Tactics, Techniques, and Procedures) to downgrade high-severity alerts to low or none. The talk focuses on four principles—living off the land, footprint reduction, abstraction, and masquerading—tested against popular EDR tools like CrowdStrike, Microsoft Defender, and SentinelOne. In one scenario, an attacker exploits a Spring Cloud Functions vulnerability (CVE-2022-22963) to compromise a Linux server, escape a Docker container via CGroup release agent, and exfiltrate data using Rust-based beacons and refactored exploit scripts. Another scenario targets Windows endpoints via ISO files containing malicious LNK shortcuts, hijacking Electron apps like Slack to bypass detections and escalate privileges through unquoted service paths. The experiments showed that default EDR configurations often fail to detect mutated attacks, with some tools generating only low-severity alerts or none at all. The speakers emphasize that custom detection rules and AI-driven automation are necessary to address gaps in alert triage, as enterprises receive thousands of daily alerts, many of which are false positives. The presentation highlights that attackers can evade detection without complex kernel hacking, relying instead on simple modifications to execution chains.