(DA01) (FIC) Wavestone - EDRSandBlast: a tool to identify and bypass EDR detection mechanisms

(DA01) (FIC) Wavestone - EDRSandBlast: a tool to identify and bypass EDR detection mechanisms

Wednesday, April 5, 2023 9:30 AM to 10:00 AM · 30 min. (Europe/Paris)
Hacking Lab
ATTACK DEMO

Information

EDRSandBlast is a "toolbox" implementing several techniques for bypassing EDR (Endpoint Detection & Response) supervision mechanisms in order to perform an unsupervised operation. To date, the tool allows to perform a memory dump of the LSASS process as well as the execution of a command interpreter. As a bonus, EDRSandBlast implements a bypass of the LSASS protection mechanism "RunAsPPL" as well as an in-memory alteration of "Credential Guard" by reactivating a historical component (wdigest). The tool was developed in the context of the writing of two MISC articles: MISC n°116 (July 2021): Overview of BDU supervision mechanisms. MISC n°118 (November 2021): BDU supervision bypass techniques.

WAVESTONEA3For over 20 years, Wavestone has been developing its expertise in cybersecurity and operational resilience with large organizations in all sectors. Our independence guarantees advice that is truly adapted to the client's context. Our offer covers all aspects of cybersecurity and operational resilience, from strategy to incident response, including the management of transformation programs. Key figures about us: •900 cyber experts •20 years’ experience in cybersecurity •4 continents covered (Asia, Europe, North Africa, North America) --- Depuis plus de 20 ans, Wavestone développe son expertise en cybersécurité et résilience opérationnelle auprès de grandes organisations de tous secteurs d'activité. Notre indépendance garantit des conseils véritablement adaptés au contexte client. Notre offre traite les besoins en cybersécurité et en résilience opérationnelle à 360°, de la stratégie à la réponse à incident, en passant par la conduite des programmes de transformation​. Quelques chiffres essentiels : •900 experts cyber •20 années d’expérience en cybersécurité •4 continents représentés (Amérique du Nord, Afrique du Nord, Asia, Europe)