I'm on an engagement where the client is using a high-end Endpoint Detection and Response (EDR) system. Every time I try to run basic PowerShell scripts or Mimikatz, I get flagged and blocked immediately. What are the current trending techniques for obfuscation or "Living off the Land" that ethical hackers are using to stay stealthy?
3 answers
Modern EDRs are very sensitive to "noisy" tools. To stay stealthy, you should pivot toward "Living off the Land Binaries, Scripts and Libraries" (LOLBAS). Instead of uploading external tools, use built-in Windows features to execute your tasks. For credential harvesting, avoid Mimikatz and try dumping the LSASS process memory using a legitimate tool like ProcDump from Sysinternals, then analyze the dump offline on your own machine. For script execution, look into obfuscation frameworks like Chameleon for PowerShell. The key is to minimize disk writes and keep as much of your activity in memory as possible to avoid triggering behavioral alerts.
While ProcDump is a great suggestion, don't many modern EDRs now monitor for any handle being opened to the LSASS process, regardless of whether the tool is "legitimate" or not?
Don't forget about simple DLL side-loading. It’s an older technique but still works surprisingly well against some mid-tier EDR solutions if you use a trusted executable.
I’ve seen DLL side-loading work wonders recently. It’s all about finding that one trusted application that the EDR ignores, which allows you to load your malicious payload into a safe process.
ou're right, Kenneth. Advanced EDRs will flag any suspicious access to LSASS. That’s why many red teamers are now moving toward using direct system calls (Syscalls) in C++ to bypass the Windows API hooks that EDRs monitor. It’s a higher barrier to entry in terms of coding skill, but it is currently one of the most effective ways to remain undetected in a hardened environment.