Defeating EDRs with Office Products | Optiv

Removing an EDR's hooks from a process is not a foreign concept these days; it’s become a common technique deployed by adversaries to remain undetected while circumventing anti-malware controls. Defenders have tried to combat these attacks but ultimately fall short as most of the effort rests on ensuring that malicious executables can’t run on endpoints (typically through whitelisting or other access control lists). This technique, combined with intensive logging, is often deployed to detect these attacks, preventing any further actions, and stopping the attack chain.

Unfortunately, adversaries are constantly adapting to defensive controls by inventing novel approaches to perform these techniques. As EDR products started augmenting their detection controls with Event Tracing for Windows (ETW), adversaries started tampering with these functions to prevent ETW events from being generated. When it comes to circumventing access controls, adversaries often rely on trusted applications or fileless attacks. These types of attacks are harder to stop or detect because they use legitimate applications to execute malicious actions.

This article will cover topics like the effectiveness of fileless attacks, including their use cases. We’ll also discuss Ivy, a new payload creation framework that utilizes Microsoft's Office VBA environment to programmatically unhook EDRs from processes. The framework then loads, decrypts and executes shellcode while remaining undetected by standard signature-based rules for Visual Basic for Applications (VBA) macro attacks. Ivy techniques are all fileless-based attacks that rely on VBA code (like typical Office macro payloads), however, these are not hampered by the deployment of the security control "Disable Macro Functions" built into Office products. Throughout this article, we’ll discuss the inner workings of the techniques in detail, as well as what defenders can do to help detect these types of attacks inside their networks.

Leave a Comment