Quartz sync: Jul 23, 2024, 2:55 AM

content/Evasion/EDR Evasion/EDR Design and the CrowdStrike Incident/Part 1 - The Why and How of EDR.md

@@ -12,11 +12,11 @@ Concerning 1, the classic static signatures used by AV are/were i) file hashes i
 
 While of course it is good that we do these checks (and we still do), a serious problem is that they are trivial to bypass. To bypass filename checking, we just need to rename our malware. To bypass hash matching, we can literally change one (1) byte in our executable. And to bypass string checking, we just have to strip the binary. Signing the malware is harder, but not *that* much harder. Furthermore, there is the fundamental problem that this approach can't really look for malicious use of legitimate functionality (bearing in mind from the introduction that this distinction is itself relative and not technologically intrinsic).
 
-It might therefore make more sense to look for underlying malicious behaviors. For example, even if we can evade the hash-matching by just changing a byte in the binary, my underlying malicious code likely does something such as creating certain files or loading certain libraries. 
+It might therefore make more sense to look for underlying malicious behaviors. For example, even if we can evade the hash-matching by just changing a byte in the binary, our underlying malicious code likely does something such as creating certain files or loading certain libraries. 
 
-It would be nice if I could therefore look for *dynamic* behavioral patterns rather than *static* artifacts, and this is the first way the antimalware we call EDR differs from traditional AV. 
+It would be nice if we could therefore look for *dynamic* behavioral patterns rather than *static* artifacts, and this is the first way the antimalware we call EDR differs from traditional AV. 
 
-The second major difference is then what we do with that information. If we're relying on static signatures, it's largely unproblematic to rely on automatic blocking behavior. I see bad hash, I block. However, dynamic behavioral heuristics are inherently a lot more uncertain - the use of a given syscall for example might *often* be malicious, but not necessarily. Therefore, the emphasis is less on automatic blocking via on-host mechanisms and more on using the information to enable a variety of further actions. This might still be automatic blocking, but it also might be (and often is) something like alerting a human analyst working at a Security Operations Center (SOC) to look into things further.
+The second major difference is then what we do with that information. If we're relying on static signatures, it's largely unproblematic to rely on automatic blocking behavior. we see bad hash, we block. However, dynamic behavioral heuristics are inherently a lot more uncertain - the use of a given syscall for example might *often* be malicious, but not necessarily. Therefore, the emphasis is less on automatic blocking via on-host mechanisms and more on using the information to enable a variety of further actions. This might still be automatic blocking, but it also might be (and often is) something like alerting a human analyst working at a Security Operations Center (SOC) to look into things further.
 
 In sum then, in contrast to traditional AV, EDR is characterized by