EDR evasion techniques used by ransomware

Ransomware gangs are employing increasingly advanced EDR evasion techniques to bypass the security controls implemented by companies, demonstrating how cyberattacks have evolved and the importance of active defense. The Cybersecurity and Infrastructure Security Agency (CISA) constantly identifies the tactics most actively used by ransomware groups to avoid detection by common protection systems (EDR), as part of its STOP RANSOMWARE initiative.

Based on the information published by CISA, we have created this top 10 list of EDR evasion techniques used by cybercriminals to bypass EDR protections, ordered from the most to the least common among different groups. Each tactic includes its MITRE ATT&CK ID so you can delve deeper into each technique and strengthen your asset security.

1. Disabling EDR or Antivirus

This technique and sub-technique (T1562.001) involves disabling EDR and antivirus to evade detection and facilitate persistent access. Specific tools or scripts are used to disable system security defenses.
https://attack.mitre.org/techniques/T1562/001/

2. Using PowerShell (LotL)

Living off the Land (LotL) with PowerShell (T1059.001) allows malicious commands to be executed using system tools already present, minimizing security system alerts.
https://attack.mitre.org/techniques/T1059/001/

3. Log Deletion

Deleting log files (T1070) helps hide malicious activity, complicating forensic analysis and preventing security alerts from detecting the attack.
https://attack.mitre.org/techniques/T1070/

4. Using Vulnerable Drivers (BYOVD)

The Bring Your Own Vulnerable Driver (BYOVD) technique (T1068) exploits legitimate drivers with vulnerabilities to evade detection and manipulate system security defenses.
https://attack.mitre.org/techniques/T1068/

5. Group Policy Modification

Modifying group policies (T1484.001) allows attackers to disable antivirus and other security controls across the domain by leveraging administrative configurations.

https://attack.mitre.org/techniques/T1484/001/

6. Remote Access with Stolen Credentials

Using valid stolen credentials (T1078) to access the system via SSH, RDP, or VPN enables attackers to move laterally without triggering security alerts.
https://attack.mitre.org/techniques/T1078/

7. Windows Registry Modification

Modifying the Windows registry (T1112) disables critical antivirus and tamper protection functions, helping attackers maintain persistence in the system.
https://attack.mitre.org/techniques/T1112/

8. Firewall Modification

Modifying firewall settings (T1562.004) bypasses network restrictions, allowing attackers to access and move through the system undetected.
https://attack.mitre.org/techniques/T1562/004/

9. Safe Mode Reboot

Rebooting the system in Safe Mode (T1562.009) allows attackers to disable many security tools that do not operate in this environment. This makes it easier to evade EDR and antivirus defenses and continue the attack undetected.
https://attack.mitre.org/techniques/T1562/009/

10. Network Scanning and Detection

Scanning the network and detecting security software configurations (T1016 and T1518.001) allows attackers to map the infrastructure and identify vulnerable points, optimizing the attack and evading defenses.
https://attack.mitre.org/techniques/T1016/
https://attack.mitre.org/techniques/T1518/001/

This top 10 list of EDR evasion techniques used by ransomware gangs demonstrates how cybercriminals leverage tools and system configurations to avoid detection and achieve their goals. From disabling antivirus to using stolen access and common commands, these EDR evasion techniques highlight the need for more comprehensive security strategies that not only rely on endpoint protection but also include network monitoring and rapid response to any suspicious activity.

Explore more resources on our website and YouTube channel, where you will find key tools and strategies to protect your business from cyber attacks. We look forward to seeing you with exclusive and useful content!

Blog Detail