EDR Evasion Fundamentals: Understanding Detection

As a penetration tester, one of the most common questions I receive from organizations is how attackers manage to bypass their endpoint detection and response solutions. The answer lies in understanding how EDR products actually work under the hood. When defenders grasp the mechanics of detection, they can anticipate evasion strategies and build more resilient security architectures. This post maps primarily to MITRE ATT&CK Tactic TA0005 (Defense Evasion) and covers the foundational concepts every blue team member should understand.

EDR Detection Methods

Modern EDR solutions rely on multiple layers of detection working in concert. No single method is sufficient on its own, and understanding each layer helps defenders identify where gaps may exist in their coverage.

• Signature-based detection - The oldest and most straightforward method. EDR vendors maintain databases of known malware hashes, byte sequences, and YARA rules. While easy to evade with minor modifications, signatures remain valuable for catching commodity malware and known tools. Defenders should ensure signature databases are updated frequently and supplement them with custom YARA rules tailored to threats relevant to their environment.
• Behavioral analysis - Rather than looking at what a file is, behavioral detection examines what a process does. This includes monitoring for suspicious activity patterns such as a Word document spawning PowerShell, or a process attempting to access LSASS memory. Behavioral rules are harder to evade because attackers must change their methodology, not just their tooling.
• Memory scanning - EDR products periodically scan process memory for indicators of injected code, shellcode patterns, or known malicious signatures loaded at runtime. This catches threats that exist only in memory and never touch disk. Defenders should verify that their EDR performs regular memory scans and not just on-access file scanning.
• API hooking and ETW telemetry - Many EDR solutions hook Windows API functions in user mode by injecting a DLL into every process, or leverage Event Tracing for Windows to monitor system calls. This provides deep visibility into process behavior. Understanding which APIs are monitored helps defenders recognize when telemetry sources may be tampered with.

What Triggers Detection

During penetration tests, I document exactly what triggers alerts so organizations can understand their detection boundaries. The most common triggers include the following indicators.

• Known tool signatures - Tools like Mimikatz, Cobalt Strike, and Metasploit have well-known signatures. Any unmodified use of these tools should be immediately detected by competent EDR solutions.
• Suspicious parent-child process relationships - Security products maintain models of normal process lineage. When excel.exe spawns cmd.exe which then launches powershell.exe, that chain is highly anomalous and should trigger an alert.
• Unusual API call patterns - Sequences such as VirtualAllocEx followed by WriteProcessMemory and CreateRemoteThread indicate classic process injection (T1055). EDR products monitor these call chains specifically.
• Memory anomalies - Executable code running from memory regions not backed by a file on disk, or regions with RWX (read-write-execute) permissions, are strong indicators of malicious activity.
• Network indicators - Beaconing patterns, connections to known-bad infrastructure, and unusual data transfer volumes can all trigger network-aware EDR detections.

Evasion Principles Attackers Use

Understanding evasion principles from the attacker perspective allows defenders to anticipate and prepare for sophisticated threats. These are the core strategies red teams and real adversaries employ.

• Avoiding known-bad signatures - Attackers modify tools to change their hash and byte patterns. Defenders should respond by focusing on behavioral detections rather than relying solely on signatures.
• Blending with normal behavior - Sophisticated attackers mimic legitimate system administration activity. Defenders need strong baselines of normal behavior to spot subtle deviations.
• Understanding detection rules - Attackers study EDR products to learn exactly what is monitored. Defenders should assume their detection logic is known and build defense-in-depth accordingly.
• Using legitimate tools (LOLBins) - Living Off the Land Binaries are signed Microsoft tools abused for malicious purposes (T1218). Since these binaries are trusted by default, detection must focus on anomalous usage patterns rather than the binary itself.

Detection and Defense Strategies

To build robust detection against evasion techniques, I recommend the following approach based on my experience testing hundreds of environments.

• Layer your telemetry sources - Do not rely solely on the EDR agent. Combine endpoint telemetry with Sysmon logs, Windows Event Logs, network detection, and cloud-based analytics. If one source is blinded, others provide coverage.
• Monitor for detection tampering - Alert on attempts to stop or unload EDR services, unload EDR kernel drivers, or modify EDR-related registry keys. These actions themselves are strong indicators of compromise.
• Implement canary detections - Deploy honeypot files, fake credentials, and canary tokens throughout your environment. These trip wires do not rely on behavioral analysis and catch attackers who have evaded other controls.
• Conduct regular purple team exercises - Work with your red team or penetration testers to validate that your EDR detects specific ATT&CK techniques. Document gaps and work with your vendor to improve coverage.
• Tune your EDR configuration - Many organizations run EDR in default configurations. Work with your vendor to enable advanced features such as memory scanning frequency, script block logging integration, and credential access monitoring.

Defensive Value of Evasion Knowledge

Understanding evasion is not about helping attackers. It is fundamentally about improving defense. When blue teams understand how their tools can be bypassed, they can proactively address weaknesses before real adversaries exploit them. Every penetration test I conduct includes detailed recommendations for improving detection coverage, and those recommendations are only possible because I understand both sides of the equation. Organizations that invest in understanding evasion techniques consistently build stronger, more resilient security programs. The key takeaway is that no single detection method is foolproof, and a layered defense strategy combining multiple telemetry sources provides the most robust protection against sophisticated adversaries.