Quartz sync: Jul 23, 2024, 2:54 AM

opfuchs · Jul 23, 2024 · b526ab0 · b526ab0
1 parent b6d1c16
commit b526ab0
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...sion/EDR Design and the CrowdStrike Incident/Part 1 - The Why and How of EDR.md b/...sion/EDR Design and the CrowdStrike Incident/Part 1 - The Why and How of EDR.md
@@ -10,7 +10,7 @@ To understand how modern EDR works it's useful to compare it to traditional anti
 
 Concerning 1, the classic static signatures used by AV are/were i) file hashes ii) filenames and iii) strings, and you'd scan files to match these against a database of known-bad examples, the signature database. Then, you would have the AV automatically take action on that file if a match was found - that's 2. Later, when code-signing was introduced, iv) signature checks were added, but this follows the same fundamental logic. 
 
-While of course it is good that we do these checks (and we still do), a serious problem is that they are trivial to bypass. To bypass filename checking, we just need to rename our malware. To bypass hash matching, we can literally change one (1) byte in our executable. And to bypass string checking, we just have to strip the binary. Signing the malware is harder, but not *that* much harder. Furthermore, there is the fundamental problem that this approach can't really look for malicious use of legitimate functionality (bearing in mind from the introduction that this distinction is itself something we impose and not technologically fundamental).
+While of course it is good that we do these checks (and we still do), a serious problem is that they are trivial to bypass. To bypass filename checking, we just need to rename our malware. To bypass hash matching, we can literally change one (1) byte in our executable. And to bypass string checking, we just have to strip the binary. Signing the malware is harder, but not *that* much harder. Furthermore, there is the fundamental problem that this approach can't really look for malicious use of legitimate functionality (bearing in mind from the introduction that this distinction is itself relative and not technologically intrinsic).
 
 It might therefore make more sense to look for underlying malicious behaviors. For example, even if we can evade the hash-matching by just changing a byte in the binary, my underlying malicious code likely does something such as creating certain files or loading certain libraries.