DefenseCybersecurity

SecTor 2025 | EDR Bypass Testing: A Systematic Approach to Validating Endpoint Defenses

Black Hat
Black HatApr 20, 2026

Why It Matters

Understanding and mitigating EDR bypass techniques is essential for protecting critical infrastructure, as successful kernel‑level attacks can render traditional endpoint defenses ineffective.

Key Takeaways

  • EDRs shifted from peripheral to core incident response tool.
  • Attackers now target EDRs via kernel driver abuse.
  • Local admin to kernel boundary enables unrestricted EDR bypass.
  • Microsoft’s HVCI and WDAC blocklists aim to stop unsigned drivers.
  • Surveyor tool maps EDR attack surface for proactive defense.

Summary

The SecTor 2025 session introduced a systematic methodology for testing endpoint detection and response (EDR) defenses, emphasizing that modern attackers focus on bypassing rather than merely evading these solutions. Jacob and Ryan from Canadian MDR provider Eentire traced the evolution from early skepticism of host‑based telemetry to today’s reality where EDRs are central to incident reconstruction and real‑time containment.

Key insights highlighted the shift in attacker tactics: once EDRs proved effective, adversaries began targeting the agents themselves. Techniques such as "bring your own vulnerable driver" (VD) and "living‑off‑the‑land" (LOL) drivers exploit the local‑admin‑to‑kernel security boundary, allowing malicious code to load unsigned drivers or misuse legitimate ones to disable or hide from the EDR. The discussion also covered Windows process protection, tamper‑protection mechanisms, and Microsoft’s response via virtualization‑based security (VBS), hardware‑virtualized code integrity (HVCI), and WDAC blocklists.

The presenters used a Moneyball analogy, comparing high‑cost "EDR killers" to superstar players and proposing a cheaper, data‑driven approach. They unveiled "Surveyor," a Rust‑based user‑mode and C kernel‑mode tool that enumerates 13 telemetry categories to map an EDR’s attack surface, providing pre‑engagement reconnaissance akin to scouting undervalued talent.

Implications for security teams are clear: relying solely on traditional admin privileges is insufficient. Organizations must adopt VBS/HVCI, enforce strict driver signing policies, and leverage tools like Surveyor to identify weak points before attackers do, thereby strengthening endpoint resilience against sophisticated bypass attempts.

Original Description

Endpoint Detection and Response (EDR) solutions have become a cornerstone of modern cybersecurity strategies. However, their very success has made them prime targets for attackers who now routinely incorporate EDR evasion and bypass techniques into their toolsets, as evidenced by recent cybercrime leaks. This escalating threat necessitates a shift from reactive defense to proactive, systematic validation of EDR capabilities.
This presentation will detail the comprehensive EDR bypass tracking and testing program developed and implemented at eSentire. We will explore the common EDR attack surfaces (user-mode components, kernel callbacks, tamper protections like PPL) and general bypass methodologies. The core of the talk will introduce our systematic approach, including the EDR Bypass Matrix—an internal framework for tracking techniques and test results across a group of supported EDR products. We will showcase our custom testing methodology, automation infrastructure (including a Sandbox Manager application), and provide concrete examples of bypasses, along with their variants and mitigation strategies. The session aims to equip attendees with insights into building robust EDR testing programs and fostering a more resilient security posture.
By:
Jacob Gajek | Principal Security Researcher, eSentire
Ryan Hasmatali | Software Developer, eSentire
Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...