Weakness in EDR Tools

I'm trying to look into this a bit. A few initial impressions:

• It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
• Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
• I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

I'm trying to look into this a bit. A few initial impressions:

• It looks like malicious code would first have to run on your machine to exploit this; Intercept X has a lot of protections against that happening.
• Intercept X, particularly the anti-exploit technology that came from the HitmanPro.Alert product, has some protections in place to protect against its own service being bypassed in this way; not sure whether/how it could apply to EDR.
• I think some parts of our EDR make use of Windows Event Tracing, which Optiv specifically calls out as not being subject to this attack vector.

If I learn anything more, I'll update here. Meanwhile, I wouldn't lose sleep over this. It's difficult to take advantage of, it wouldn't circumvent our core protections, and we're always looking to further harden our products against potential attack vectors.

As it turns out, we don't use user-mode application hooking for EDR.