Endpoint Security Evasion Techniques (2020–2025) – A Technical Deep Dive
Introduction and Key Trends (2020–2025)
Over the past five years, threat actors have aggressively developed new techniques to bypass, disable, or blind endpoint detection and response (EDR) and antivirus tools. Rather than relying solely on malware obfuscation, attackers are increasingly exploiting design flaws in security products and operating system features to neutralize defenses. In multiple high-profile cases between 2020 and 2025, ransomware gangs (e.g. Babuk, LockBit, BlackByte, AvosLocker) and APT actors (e.g. ToddyCat) leveraged tactics like installer abuse, vulnerable drivers, DLL hijacking, and service manipulation to undermine EDR/AV protectionsfile-4pcvlwhk3myukez4vihgenhalcyon.ai. These in-the-wild attacks demonstrate that simply running an EDR agent is not a panacea – if adversaries can turn the security software’s own functionality against itself, they can freely deploy ransomware or steal data once defenses are down.
Key points:
“Bring Your Own Installer” (BYOI) Abuse – Attackers found they could leverage legitimate security product installers/updaters to disable the product itself during an upgrade or reinstall processhalcyon.ai. For example, in an incident investigated in 2025, Babuk ransomware operators used SentinelOne’s own installer to bypass its tamper protection, leaving the endpoint unprotected for malware executionhalcyon.ai. This technique exploits a window of opportunity when the EDR agent intentionally stops itself to perform an updatehalcyon.ai.
“Bring Your Own Vulnerable Driver” (BYOVD) Attacks – The use of legitimate but vulnerable drivers has become a widespread EDR-killer tactichalcyon.ai. Ransomware groups developed or adopted tools that load old, signed drivers with known flaws to gain kernel-level privileges and terminate security processeshalcyon.aihalcyon.ai. This method was observed across numerous Ransomware-as-a-Service (RaaS) operations (LockBit, BlackByte, Play, Medusa, BianLian, etc.), indicating significant investment in custom “EDR killer” malwarehalcyon.ainews.sophos.com.
DLL Hijacking & Side-Loading – Advanced attackers targeted insecure DLL loading paths or abused trusted binaries to inject malicious code and neutralize security tools. In a notable 2024 case, the ToddyCat APT exploited a DLL load vulnerability in ESET’s command-line scanner to load a malicious module inside the AV process, disabling its monitoring capabilitiessecurelist.comsecurelist.com. Similarly, LockBit affiliates abused Windows Defender’s CLI (
MpCmdRun.exe) to side-load a fake DLL and run Cobalt Strike payloads, bypassing normal EDR detectionsentinelone.com.Service Abuse & Anti-Tampering Gaps – Attackers also abused OS features and weaknesses in security service protections. Ransomware like Snatch and AvosLocker rebooted systems into Safe Mode (where most security software is inactive) to evade endpoint protectionnews.sophos.comattackiq.com. In 2023, researchers even discovered a logic flaw in CrowdStrike Falcon that allowed an attacker with sufficient privileges to suspend the EDR’s core processes, effectively disabling protectionfile-4pcvlwhk3myukez4vihgen. These examples underscore how built-in maintenance or fail-safe modes can be manipulated to turn off security controls.
In the sections below, we dive into each category of evasion technique – BYOI, BYOVD, DLL Hijacking, and Service Abuse – explaining their technical mechanics, real-world cases, affected vendors, and countermeasures. We then provide comparative tables (techniques vs. vendors, timeline of emergence, and mitigations) and conclude with strategic recommendations for defenders to harden their endpoint security configurations.
Bring Your Own Installer (BYOI) – Abusing Installers to Disable EDR
“Bring Your Own Installer” refers to leveraging a security product’s own installation or upgrade process to disable it. Modern EDR/AV agents have self-protection: they cannot be easily killed or uninstalled without special authorization. However, during a legitimate upgrade or reinstall, the agent intentionally stops or removes the old service before installing an updated version. Attackers discovered that by manually initiating an install/upgrade and then interrupting it, they could halt the EDR service indefinitely without needing any uninstall password or exploithalcyon.aihalcyon.ai.
Technical mechanics – In practice, the attacker must have already gained privileged (Administrator) access on the endpoint. They then run the official EDR installer/updater (often an MSI or setup executable) for the same or a slightly older agent version. The installer will shut down the running EDR agent and service as a first step (assuming an upgrade is about to happen)halcyon.ai. At this point, protections are offline. The attacker then kills or aborts the installer process (e.g. msiexec.exe) at the critical moment, preventing the new agent from finishing installationhalcyon.ai. The result: the old agent is gone or inactive, and no new agent is running – the endpoint is left unprotected and “blind” in the EDR consolehalcyon.ai. This is essentially a race condition, exploiting the EDR’s own update logic rather than any code vulnerability.
Real-world example – In early 2025, an incident response team at Aon’s Stroz Friedberg encountered this BYOI technique during a ransomware investigationbleepingcomputer.com. The attackers (affiliates of the Babuk ransomware group) had compromised a publicly exposed server and escalated to local admin. They executed the legitimate SentinelOne Windows installer on the host and then forcibly terminated the installation process mid-wayhalcyon.ai. Logs showed that the SentinelOne agent was stopped and never restarted, causing the endpoint to appear “offline” in the management consolehalcyon.ai. The attackers proceeded to deploy Babuk ransomware on the unprotected machine, which encrypted data without any EDR interferencehalcyon.ai. This BYOI bypass was confirmed to work across multiple versions of the SentinelOne agent and did not require any third-party toolkit or malicious driver, making it stealthy and attractive to the attackersbleepingcomputer.combleepingcomputer.com.
Vendor response – SentinelOne quickly responded by advising customers to enable an optional feature called “Online (Local) Authorization” for agent upgradeshalcyon.ai. This setting (disabled by default in many environments) forces any local upgrade/uninstall to be authorized through the cloud console, preventing unapproved installer runs. SentinelOne privately rolled out this guidance in January 2025 and even released a detection rule named “Potential BYOI Exploitation” to identify attempts at this techniquefile-c4uibyf1ko4p8manjxxfhbfile-c4uibyf1ko4p8manjxxfhb. Once the Local Upgrade Authorization was enabled, Stroz Friedberg confirmed the bypass could no longer succeedfile-c4uibyf1ko4p8manjxxfhb. This case prompted SentinelOne to share details with other EDR vendors, highlighting that any endpoint security product with a similar local install/update mechanism could be at risk if not properly securedhalcyon.ai. (Notably, Palo Alto’s Cortex XDR confirmed it was not affected by this exact flawhalcyon.ai, implying their agent’s upgrade process might differ or require cloud confirmation.)
Other instances – While the SentinelOne/Babuk case publicized the BYOI concept, researchers have noted that many EDR and AV solutions exhibit similar behavior during reinstall. For example, a security researcher demonstrated in 2025 that reinstalling products like Forcepoint One Endpoint would forcefully terminate their processes and leave them off if the install is aborted (an apparent design oversight)
. This suggests BYOI is a broader class of weakness: “Should running an installer really disable security?” was a pointed question raised to vendors. The takeaway is that installers/updaters must be designed with robust checks – e.g. requiring authentication, not allowing critical protection gaps – otherwise attackers with admin access can simply “reinstall to disable” virtually any security software.
Bring Your Own Vulnerable Driver (BYOVD) – Kernel-Mode EDR Killers
Bring Your Own Vulnerable Driver attacks involve weaponizing legitimate, signed drivers that contain known vulnerabilities in order to execute code in the Windows kernel and cripple security software. This technique has surged in popularity from 2020 onward, as attackers realized that running code in kernel context can bypass or terminate even “protected” EDR processesresearch.checkpoint.comresearch.checkpoint.com. By loading an outdated driver with a flaw (one that allows arbitrary kernel memory writes, process termination, or disabling of security mechanisms), malware can effectively disable or blind the EDR/AV without triggering its self-defense mechanisms – the driver is trusted by the OS due to a valid signature.
Technical mechanics – The attacker needs a vulnerable driver file (usually a .sys file from an older version of legitimate software) and the ability to load it on the victim machine. Often, they first drop the driver and a small loader service or use OS utilities (sc.exe) to install/start the driver. The vulnerable driver, once running with kernel privileges, is then exploited to perform malicious actions such as killing protected processes, removing kernel callbacks, or unloading security software driversasec.ahnlab.comsecurelist.com. Common targets are the processes of well-known EDR/antivirus services – by terminating or suspending those processes via kernel-mode access, the attacker neutralizes endpoint protections. Because the driver is signed, Windows will not block it by default (unless security features like Driver Signature Enforcement and blocklists are in place). This is essentially a way to turn the operating system against the security tools: the OS trusts the signed driver, which then can do anything at the highest privilege level.
Real-world cases – BYOVD has been observed across a wide range of ransomware families and threat actors:
In 2022, the BlackByte ransomware gang was found exploiting a vulnerable MSI Afterburner driver (RTCore64.sys) to disable EDR productstechtarget.com. The driver (used for GPU overclocking) had a known flaw (CVE-2019-16098) that allowed arbitrary kernel memory modification. BlackByte leveraged it to target the kernel interfaces that EDR products rely on, effectively blinding security tools by attacking the OS protection mechanismstechtarget.com.
Around the same time, AvosLocker ransomware (noted by FBI/CISA in 2022–2023) abused a legitimate Avast Anti-Rootkit driver (aswArPot.sys) to disable antivirus softwaretrendmicro.com. The AvosLocker variant loaded this old Avast driver (which is vulnerable) to terminate security processes and even scanned for Log4j-vulnerable systems after neutralizing defensestrendmicro.com. This was one of the first instances reported in the U.S. of ransomware using a third-party AV component for evasion.
By 2023, the use of custom or repurposed “EDR killer” tools became a standard tactic for many RaaS groups. Sophos X-Ops reported on a tool dubbed “AuKill” that appeared in at least three ransomware incidents in early 2023, used to sabotage the target’s EDR before deployment of payloadsnews.sophos.comnews.sophos.com. AuKill abuses an outdated driver from Microsoft’s Process Explorer utility (PROCEXP.SYS) – an example of reusing a benign tool’s driver. In January and February 2023, attackers used AuKill to disable EDR and then executed Medusa Locker ransomware, and in another case just prior to a LockBit ransomware attacknews.sophos.com. Notably, this driver-based approach is the same as an open-source tool called Backstab that was published in mid-2021news.sophos.com, indicating that threat actors are actively borrowing from or contributing to public proof-of-concepts.
A major campaign unveiled in 2024 involved a threat actor deploying an EDR killer tool at scale, later attributed to the nascent RansomHub ransomware gang. Checkpoint Research found that between mid-2024 and early 2025, over 2,500 variants of a vulnerable driver (the TrueSight anti-rootkit driver v2.0.2) were used in the wild to bypass EDR and facilitate malware installationresearch.checkpoint.comresearch.checkpoint.com. The attackers cleverly modified minor details in the driver file to generate unique hashes while keeping the signature valid, allowing them to evade hash-based detectionresearch.checkpoint.comresearch.checkpoint.com. They also chose a version of TrueSight that was old enough to not be included in Microsoft’s driver blocklist (exploiting a policy loophole for drivers signed before July 2015)research.checkpoint.com. The campaign had a global reach, with about 75% of victims in China and others across Asiaresearch.checkpoint.com, and often delivered a Gh0st RAT payload after disabling securityresearch.checkpoint.comresearch.checkpoint.com.
ESET’s investigation into RansomHub (and corroborated by others like Halcyon) revealed the custom EDRKillShifter tool behind this campaignhalcyon.ai. EDRKillShifter uses the BYOVD technique to exploit vulnerable drivers (as seen with TrueSight.sys) and was offered through RansomHub’s affiliate program as a turnkey EDR killerhalcyon.ai. Interestingly, by late 2024 this tool spilled over to other gangs: the same EDRKillShifter was observed in Play, BianLian, and Medusa ransomware attacks, suggesting either collaboration or shared affiliates among these groupshalcyon.ai. This cross-group adoption underscores how effective BYOVD tools have become – even typically siloed ransomware operations are willing to share or buy the capability to “knock out” a wide range of EDR productshalcyon.ai.
Impact on vendors – BYOVD attacks generally target whatever EDR/AV is present on the victim system. The vulnerable driver can be instructed to terminate processes or services by name, so a single tool can attempt to kill dozens of different security products. In the RansomHub EDRKillShifter case, researchers noted it could disable “an enormous range of EDR tools”, from mainstream AV engines to top EDR suiteshalcyon.aihalcyon.ai. Once the kernel malware is active, it effectively bypasses user-mode protections like self-defense, process hooking, or code injection prevention – even protected processes (PPL) can be terminated or manipulated via the exploit. In short, no vendor is immune if the specific vulnerable driver isn’t blocked: as one report put it, “They can shut down your security tools – even those fancy EDR systems you paid top dollar for”halcyon.aihalcyon.ai. Vendors have had to react by maintaining blocklists of bad drivers and adding behavior detections for such attacks (discussed later in mitigations).
Mitigations by vendors – To combat BYOVD, security vendors and OS providers are employing multiple strategies. Microsoft maintains a Windows Vulnerable Driver Blocklist (used in Windows Defender Application Control and via features like HVCI) to prevent known bad drivers from loading. After the TrueSight.sys campaign was revealed, Microsoft updated this blocklist in December 2024 to include all discovered variants of that driverresearch.checkpoint.com. EDR vendors like ESET classify tools used in these attacks as “potentially unsafe applications” and will detect or block vulnerable drivers being loadedfile-4pcvlwhk3myukez4vihgen. For instance, ESET’s rules can flag events such as a “Loaded Driver from Uncommon Location” or “Loaded Known Vulnerable Driver”, alerting defenders if malware tries to install an out-of-place driver on an endpointfile-4pcvlwhk3myukez4vihgen. The key for defenders is to ensure these protective features (e.g. driver blocklists, advanced memory/behavior monitoring) are enabled, as BYOVD remains one of the most potent EDR evasion techniques to date.
DLL Hijacking and Side-Loading – Subverting Trust to Inject Malicious Code
Another class of EDR evasion involves DLL hijacking (a.k.a. DLL side-loading or proxying). In these attacks, adversaries take advantage of how applications load libraries, either by exploiting vulnerable search paths or by misusing a trusted signed binary to load a malicious DLL. The ultimate goal is to execute attacker code under the guise of a legitimate process, often with elevated privileges or within a security process itself, thereby evading detection or actively disrupting the security tool.
Mechanics – Windows applications often load DLLs by searching through a sequence of directories. If an application does not securely specify the path or if it looks in its “current directory” first, an attacker can plant a malicious DLL with the same name in a directory that gets loaded instead of the real onesecurelist.com. This is classical DLL hijacking. Alternatively, some malware uses a signed, trusted binary (“LOLBin”) that is known to load a particular DLL – the attacker places their malicious DLL in the expected location so that when the signed EXE runs, it will inadvertently load the attacker’s code. The result is malicious code running inside a process that may be whitelisted or trusted by security controls.
ESET case – ToddyCat’s DLL Proxying: A prime example of DLL hijacking to target an AV itself was uncovered in 2024 involving the ToddyCat APT (an espionage group). Kaspersky reported that ToddyCat found a vulnerability in ESET’s command-line scanner (ecls.exe) where the program insecurely tried to load version.dll from its working directory before the system pathsecurelist.com. The attackers dropped a malicious DLL (named version.dll) alongside the ESET scanner binary. When ESET’s tool was executed (likely by the attackers themselves or via some scheduled task), it loaded the malicious DLL instead of the legitimate Windows version.dllsecurelist.com. This gave the malware code (a payload dubbed “TCESB”) the same privileges and trust as the ESET scanner process. The TCESB DLL, once loaded in the context of ESET’s antivirus process, went on to modify kernel structures to disable security notifications – for example, turning off callbacks that report process creation or module loading events to security softwaresecurelist.com. In essence, ToddyCat hijacked ESET’s own process to create a blind spot in which it could operate undetected. This was such a serious issue that it was assigned CVE-2024-11859, and ESET issued a patch in January 2025 to fix the DLL load behavior in their softwaresecurelist.com.
LockBit case – Living off the Land: Ransomware actors have also used side-loading with Windows’ own security binaries. In mid-2022, SentinelOne researchers observed a LockBit affiliate abusing the Microsoft Defender command-line tool, MpCmdRun.exe](https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/#:~:text=In%20this%20post%2C%20we%20follow,and%20load%20Cobalt%20Strike%20payloads)[sentinelone.com. They paired this legitimate Defender executable with a fake DLL (MpClient.dll). When MpCmdRun.exe was run (explicitly by the attacker), it decrypts and loads the malicious DLL – in this case, the DLL contained shellcode to inject a Cobalt Strike Beacon into memorysentinelone.comsentinelone.com. The beauty of this method for the attacker is that Defender’s own binary was used to execute malicious code, likely bypassing certain application control or heuristic checks, since a Microsoft-signed binary was performing the action. From the EDR’s point of view, it might look like Windows Defender’s service was doing some routine work, whereas in reality it had been hijacked to launch the attacker’s implantsentinelone.comsentinelone.com.
Other instances – DLL side-loading is a long-standing technique especially common among state-sponsored groups. While not all instances directly disable EDR, they help malware to blend into trusted processes. For example, other ransomware families have side-loaded rogue DLLs via tools like VMware utilities, Microsoft Sysinternals tools, or outdated software installers as a way to bypass behavior monitoringsentinelone.comsentinelone.com. The key distinction in the EDR bypass context is whether the side-loading is used to impair the security tool or simply to stealthily run malware. In the ESET/ToddyCat case, it was explicitly to impair ESET’s protection. In many other cases (LockBit’s included), side-loading is used more to evade detection (running code in a trusted host process) rather than to outright kill the EDR. However, both goals are related – by running inside a trusted process, the malicious code can often avoid scrutiny or operate in an environment where the EDR’s hooks are ineffective, thereby effectively bypassing the endpoint defense.
Mitigations – Preventing DLL hijacking requires both vendor action and defensive monitoring. Software vendors must ensure their applications don’t load insecure DLL paths (e.g., always load system DLLs from system directories or use safe functions). In the ToddyCat incident, ESET’s prompt patch closed the hole by changing how ecls.exe loads version.dllsecurelist.com. From the defender side, enabling features like Microsoft’s Attack Surface Reduction (ASR) rules can block or flag unusual side-loading (for instance, Microsoft Defender has rules to prevent unsigned DLLs from loading into sensitive processes). EDR solutions themselves can monitor for known side-loading patterns – e.g., a signed tool loading an unexpected DLL from a temp folder. In practice, defenders should watch for legitimate processes being launched from abnormal directories or alongside unexpected DLL files, as this often indicates a side-load setup. In our LockBit example, seeing MpCmdRun.exe execute from an atypical path or spawning network connections could be a clue to a side-loading attacksentinelone.com.
Service Abuse & Tampering – Abusing System Tools and Modes to Disable Protection
This category encompasses a variety of tricks where attackers manipulate the operating system or the security software’s service control mechanisms to turn off or evade EDR/AV, without necessarily exploiting code vulnerabilities. Some of these techniques date back years but have evolved or re-emerged in recent attacks.
Safe Mode (reboot abuse) – Many endpoint agents do not run in Windows Safe Mode (a diagnostic mode where only basic drivers load). Ransomware groups have capitalized on this by force-rebooting infected machines into Safe Mode to perform malicious actions without the security software runningnews.sophos.com. The Snatch ransomware first popularized this approach around late 2019: it installed itself as a service with a command to reboot into Safe Mode, and added a registry “Run” key so that its process (the encryptor) would start in Safe Mode on bootnews.sophos.comnews.sophos.com. Once the system restarted in that minimal environment, Snatch began encryption of files while the anti-malware services were inactive, thereby bypassing protectionnews.sophos.com. This technique continued to appear in subsequent years – for instance, in 2023 AvosLocker was observed using a similar Safe Mode encryption stepattackiq.com. By doing this, the attackers negate agent self-defense (since the agent never starts) and can even tamper with or remove security software files in Safe Mode. The only constraint is that the attackers must have sufficient privileges to configure the auto-reboot and service, which by the later stages of an attack they often do.
Abusing OS tools (sc, net, etc.) – With administrative access, an attacker can attempt direct tampering: for example, using the Service Control Manager (sc.exe) or net stop commands to stop security services, or modifying the Windows Registry to prevent services from starting. Most modern EDRs have self-protection to block such actions – e.g., they require an uninstall password or detect if their service is being tampered with – but these protections can sometimes be subverted. Some attackers use PowerShell scripts or WMI to try and disable security features (like turning off Microsoft Defender’s real-time monitoring via registry keys or the PowerShell Set-MpPreference cmdlets). In corporate environments, Microsoft Defender’s Tamper Protection (when enabled) will lock those settings, but not all organizations had this enabled by default in earlier years. Thus, we saw malware (and Cobalt Strike playbooks) that included steps to attempt Defender disabling. The success of these attempts varies, but the prevalence of such scripts shows that attackers probe for misconfigurations where protections might be turned off or weakened.
Exploiting agent vulnerabilities – Occasionally, the security agents themselves have bugs that attackers can exploit to disable them. The CrowdStrike Falcon case in 2023 is an illustrative example. Although details were not fully public, it was described as a logical flaw that allowed the suspension of Falcon’s processesfile-4pcvlwhk3myukez4vihgen. This suggests that if an attacker issued certain commands or manipulated the agent in a specific way (after gaining privileges), they could pause or crash the Falcon sensor. CrowdStrike presumably patched this quicklyfile-4pcvlwhk3myukez4vihgen, but it highlights that even top-tier EDR platforms can have edge-case vulnerabilities that attackers will seize if disclosed. Another example is a 2022 vulnerability in Trend Micro Apex One that allowed local privilege escalation and could be leveraged to kill the product, though such cases are less common compared to the above techniques.
Living-off-the-land abuse – Beyond Safe Mode, attackers use legitimate administrative tools or modes of the OS to evade security. One such trick is using “System Repair” or Recovery Environments. For instance, an attacker might boot the machine into a Windows Recovery Environment or use tools like MSConfig to set a minimal boot, then encrypt files when the EDR is not loaded. Some ransomware (e.g., Black Basta in 2022) reportedly used strategies involving booting in a minimal state to bypass controls (similar in spirit to Safe Mode). Attackers have also misused HyperVisor or VMs (RagnarLocker famously ran the ransomware inside a VirtualBox VM on the host in 2020 to evade host-based EDR). While that crosses into a different category (virtualization-based evasion), it shows the creativity in abusing system features to subvert security software.
Real-world impact – Service abuse techniques tend to be noisy (reboots, service stoppage commands, etc.), but when successful, they lead to complete defense bypass. In incidents where Safe Mode was used, organizations often found out only after the fact – the endpoint would drop offline from the EDR console, then come back but with all data encrypted. The Snatch attacks prompted warnings in late 2019/2020 about this tacticnews.sophos.com, and by 2023 AvosLocker’s use reaffirmed that it was still effective against many vendorsattackiq.com. Essentially, any scenario where attackers can temporarily or permanently shut down the security agents is game over for that endpoint’s protection. It’s a stark reminder that anti-tampering features must be robust. If a product can be easily disabled via registry or service control by admin-level malware, then that malware will do exactly that (many post-exploitation kits will attempt it). The arms race here is between attacker knowledge of these “tricks” and vendor mitigations to prevent or detect them.
Mitigations – Defenders can take several steps to mitigate service abuse strategies. Enabling EDR/AV tamper-protection features is critical – for example, Microsoft Defender’s Tamper Protection (to block registry/service changes), or similar features in other EDRs that prevent unauthorized unloading. Some EDR products offer a “password required to boot in Safe Mode” or the ability to send an alert if an endpoint goes into Safe Mode unexpectedly. Where available, these should be enabled. Also, monitoring for sudden stopping of security services or drivers can detect an attack in progress – many EDR management consoles will flag if an agent stops communicating. From an IT policy perspective, restricting local administrator accounts and using credential tiering can make it harder for attackers to reach the point of attempting these actions. Ultimately, defenders should treat an unexpected security agent shutdown or a host going into Safe Mode as signs of potential compromise and respond immediately.
The following sections provide comparative summaries in table form, consolidating how these evasion techniques map to different vendors, the timeline of their emergence, and the mitigation approaches that can counter them.
Techniques vs. Affected Vendors (2020–2025)
The table below summarizes each evasion technique category with examples of security vendors or products that were affected or targeted. This illustrates that no vendor is completely immune – the techniques are often broadly applicable unless specific safeguards are in place.
| Evasion Technique | Affected Endpoint Security Vendors (Examples) |
|---|---|
| BYOI – Installer Abuse | SentinelOne: Agent upgrade process exploited (Babuk ransomware, 2025)halcyon.aihalcyon.ai. (SentinelOne issued fix via “Online Authorization” feature)halcyon.ai. Also Potentially: Other EDRs with local installers (e.g. researchers showed Forcepoint and others could be similarly bypassed by reinstall). This is a design issue that could affect any vendor not requiring auth for reinstalls. |
| BYOVD – Vulnerable Drivers | Multiple Vendors: BYOVD tools terminate processes of all major EDR/AV vendors if present. For example, Sophos, CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender, etc., have all been targeted by driver-based EDR “killers”halcyon.aihalcyon.ai. BlackByte (2022): Bypassed EDRs by abusing MSI Afterburner’s driver (CVE-2019-16098)techtarget.com. RansomHub EDRKillShifter (2024): Used a vulnerable driver to kill dozens of EDR/AV processes (observed killing SentinelOne, Microsoft, Trend Micro, etc. among others)halcyon.aihalcyon.ai. LockBit/Medusa (2023): Used Process Explorer driver to disable EDR (affected whichever EDR was on victim, reported cases with different EDRs)news.sophos.com. |
| DLL Hijacking / Side-Loading | ESET: Vulnerability in ESET’s command-line scanner allowed DLL hijack (ToddyCat APT, 2024) – malicious DLL loaded into ESET process to disable itsecurelist.com. Patched by ESET (CVE-2024-11859)securelist.com. Microsoft Defender: LockBit ransomware affiliate abused Defender’s MpCmdRun.exe to side-load a malicious DLL, enabling malware execution under a Microsoft-signed processsentinelone.com. Others: Many vendors’ products (and other trusted software) have been used for DLL side-loading by attackers (e.g. TrendMicro, Kaspersky, Sophos – via their updaters or ancillary tools, in various APT cases). The technique is not vendor-specific: it exploits how Windows loads DLLs and trusts signed binaries. |
| Service Abuse & Tampering | CrowdStrike: Falcon EDR agent vulnerability (disclosed 2023) allowed attackers to suspend/disable the sensor via a flaw in the service, undermining protectionfile-4pcvlwhk3myukez4vihgen. Patched by CrowdStrike upon discoveryfile-4pcvlwhk3myukez4vihgen. All EDRs (Safe Mode): Any EDR will be ineffective in Safe Mode unless specifically designed otherwise. Ransomware like Snatch (2020) and AvosLocker (2023) abused this by rebooting machines into Safe Mode to encrypt files while Sophos, Defender, etc., were inactivenews.sophos.comattackiq.com. This impacts all vendors who rely on normal mode drivers. Microsoft Defender: Attackers often attempt to use PowerShell or registry tweaks to turn off Defender’s real-time protection (if Tamper Protection is off). Without Tamper Protection, local admin malware can disable Defender via OS settings (seen in many malware playbooks 2020–2022). Microsoft’s Tamper Protection (on by default in enterprise since late 2019) mitigates this, but not all orgs had it enabled initially. Sophos EDR: Like others, if malware attains admin rights, it could try to unload or kill Sophos services. Sophos has strong self-defense, but incidents like ransomware “kill lists” include Sophos processes to terminate. (No known public exploit, but e.g. LockBit’s built-in process killer lists SophosSAVService.exe, etc.) In general, service-stop attempts hit all major vendors; success depends on each product’s tamper protection strength. |
Timeline of Evasion Techniques Emergence (2020–2025)
This timeline highlights when major evasion techniques or campaigns were first observed and how they evolved between 2020 and 2025:
| Timeframe | Evasion Technique & Notable Incident | Details and Impact |
|---|---|---|
| Late 2019 – 2020 | Safe Mode Ransomware (Snatch) news.sophos.com Service Abuse | Snatch ransomware reboots Windows into Safe Mode to encrypt files without EDR/AV runningnews.sophos.com. First seen Oct 2019, continued in 2020. Highlighted a design gap: most security tools do not load in Safe Mode, allowing malware free rein. Sophos reported this as a novel technique to bypass protectionnews.sophos.com, prompting industry awareness. |
| 2021 | Open-Source EDR Killer (Backstab) news.sophos.com BYOVD | The Backstab tool was released (June 2021) demonstrating a BYOVD attack using Process Explorer’s drivernews.sophos.com. This marked one of the first publicly available EDR-killer PoCs, foreshadowing later ransomware adoption. Attackers begin experimenting with driver-based kills, though in 2021 it was mostly seen in testing/red-team contexts. |
| 2022 (Q3) | BlackByte’s BYOVD Attack techtarget.com BYOVD | BlackByte ransomware operators deploy a signed vulnerable driver (MSI Afterburner’s RTCore64.sys) during intrusions to disable EDRtechtarget.com. (CVE-2019-16098 exploit). This is one of the first high-profile ransomware BYOVD cases (Oct 2022) and is publicized by Sophos and media. It showed that criminal groups had adopted BYOVD to target the kernel interfaces of EDR productstechtarget.com. |
| 2022 (Q4) | Ransomware EDR “Killers” Appear news.sophos.com BYOVD | Multiple ransomware groups start using custom-built or stolen drivers to kill EDR/AV processes. In late 2022, Sophos, Microsoft, Mandiant, and others reported on attackers using malicious drivers (some with stolen certificates) to bypass securitynews.sophos.com. For example, a driver dubbed “POORTRY” (detected in a BlackCat incident) and others were noted. This wave led to vendor collab with Microsoft to revoke certificates and update blocklists. |
| 2022 (Jul) | LockBit Sideloads Defender sentinelone.com DLL Side-Loading | A LockBit 3.0 affiliate was observed using Windows Defender’s MpCmdRun.exe to side-load a malicious DLL and decrypt Cobalt Strike beaconsentinelone.com. (Incident reported July 2022). This innovative abuse of a security tool as a loader signaled that threat actors were exploring living-off-the-land within security processes. It didn’t disable EDR directly, but it evaded detection by using a trusted binary. |
| 2023 (Jan–Feb) | AuKill in Ransomware Attacks news.sophos.com BYOVD | The AuKill malware (BYOVD tool using an outdated Process Explorer driver) was used in at least three cases: deploying Medusa Locker and LockBit ransomware after disabling the EDR in early 2023news.sophos.com. This showed the commoditization of EDR-killers – affiliates in different RaaS franchises obtaining the same tool. Sophos published details in April 2023, emphasizing rising driver-based attacksnews.sophos.com. |
| 2023 (Mid) | CrowdStrike Falcon Vulnerability file-4pcvlwhk3myukez4vihgen Service Flaw | A vulnerability in CrowdStrike Falcon (disclosed mid-2023) allowed attackers with admin access to suspend or disrupt the Falcon sensor processfile-4pcvlwhk3myukez4vihgen. Although details were scarce (likely a bug rather than an intended design), it underscored that even leading EDRs had to patch logic flaws to maintain self-protection. CrowdStrike released fixes; no widespread abuse by malware was reported publicly, but POCs might have existed. |
| 2023 (Late) | Safe Mode Redux (AvosLocker) attackiq.com Service Abuse | FBI/CISA advisories in 2023 noted AvosLocker ransomware using the Safe Mode trick to disable securityattackiq.com. This confirmed that newer ransomware strains were adopting the tactic pioneered by Snatch. By now, multiple families (Snatch, BlackBasta, AvosLocker) have used some variation of rebooting to bypass EDR, indicating it remained a viable evasion method. |
| 2024 (Mid) | RansomHub’s EDRKillShifter Launch halcyon.ai BYOVD | The RansomHub gang introduced their custom EDR killer EDRKillShifter around May 2024welivesecurity.comwelivesecurity.com. Throughout 2024, this tool was proliferating in attacks, and by August 2024 it was firmly associated with RansomHub operationshalcyon.ai. Within weeks, affiliates began using it in other ransomware (Play, BianLian, etc.), indicating cross-pollinationhalcyon.ai. This period marked the peak of BYOVD tool usage in ransomware campaigns, with thousands of driver variants in playresearch.checkpoint.com. |
| 2024 (Late) | ToddyCat ESET DLL Hijack securelist.com DLL Hijacking | In late 2024, Kaspersky discovered ToddyCat APT using a DLL hijack in ESET software to stealthily disable its protectionssecurelist.com. ESET’s patch and advisory came out in Jan 2025securelist.com. This was a rare instance of APT-style evasion hitting a security vendor directly via vulnerability. It highlighted the need for vendors to audit their loading mechanisms. |
| 2025 (Q1) | SentinelOne BYOI (Babuk) bleepingcomputer.comhalcyon.ai BYOI | The “Bring Your Own Installer” technique was publicly unveiled in early 2025 when Babuk ransomware actors bypassed SentinelOne EDR by abusing its installerhalcyon.ai. Aon/Stroz Friedberg’s report (Jan 2025) and subsequent coverage (May 2025) detailed how the attackers exploited the upgrade process to drop the agent, then encrypted the systembleepingcomputer.comhalcyon.ai. SentinelOne’s response and the industry discussion around BYOI in 2025 represent the latest evolution of endpoint evasion tactics. |
Mitigation Approaches and Defensive Measures
Finally, we compare the mitigation strategies relevant to each evasion category. These approaches combine vendor-side fixes, configuration hardening, and detection techniques that defenders should employ:
| Evasion Technique | Mitigation Strategies |
|---|---|
| Installer Abuse (BYOI) | Harden EDR Upgrade/Uninstall: Use solutions that offer centralized authorization for agent uninstall or upgrade (e.g., SentinelOne’s “Online Authorization” toggle)halcyon.aibleepingcomputer.com. Ensure this is enabled so that local reinstall attempts cannot proceed without approval. Maintain Anti-Tamper Controls: Make sure the EDR’s self-protection/tamper prevention is fully enabled and updated – vendors should patch flaws in upgrade processes quickly. Administrators can also monitor for unexpected installer executions or multiple version installer files on endpointsfile-uzvb8akgpxzutg7wga8ks6 (as seen in the Babuk case). |
| Vulnerable Drivers (BYOVD) | Driver Blocklisting: Enable Microsoft’s built-in Vulnerable Driver Blocklist (available via Windows Defender Application Control or Core Isolation settings) to prevent known bad drivers from loadingresearch.checkpoint.comresearch.checkpoint.com. Keep this list updated (Microsoft updates it periodically for new threats). EDR Kernel-mode Monitoring: Use EDR solutions that can detect or block malicious driver behavior. For example, EDRs like ESET flag the loading of drivers from unusual locations or known vulnerable driversfile-4pcvlwhk3myukez4vihgen. This can stop attacks where new, unsigned drivers are introduced. Least Privilege & Device Control: Limit administrative privileges on endpoints so that installing drivers is more difficult for attackers. Consider using Group Policy or device control software to prevent unapproved driver installation altogether. Rapid Patching of OS and Drivers: Ensure that legitimate drivers on systems are updated to patched versions. Many BYOVD attacks target drivers (e.g., old anti-cheat or overclocking tools) that might be sitting on disk – remove or update those to eliminate the vulnerable versions. |
| DLL Hijacking / Side-Loading | Apply Vendor Patches: Keep endpoint security software up to date. Vendors like ESET issued patches for DLL load vulns (e.g., CVE-2024-11859) – applying these closes the door on known hijack opportunitiessecurelist.com. Secure Configuration: Wherever possible, enable options like Protected Process Light (PPL) for EDR processes (many AV/EDR run as PPL by default now, which can prevent unsigned code injection). Also consider Windows Defender’s ASR rules that block suspicious behaviors (there’s a rule to prevent Office apps or others from creating child processes, which can mitigate some side-load scenarios). Monitoring and Hunting: Watch for anomalous DLL loads. For instance, if a legitimate process loads a DLL from a Temp directory or a user profile path, that’s a red flag. Use EDR telemetry to detect if known LolBins (e.g., rundll32.exe, regsvr32.exe, or even MpCmdRun.exe) are loading unusual modulessentinelone.comsentinelone.com. Creating alert rules for these conditions can catch side-loading attempts early. |
| Service Abuse & Tampering | Enable Tamper Protection: This is critical. For example, ensure Microsoft Defender’s Tamper Protection is on (to block registry/service changes) and similar features in other EDRs. This stops easy service shutdown or settings tweaks by malware. Secure Boot/Safe Mode Protections: If your EDR offers a feature to protect in Safe Mode or BIOS (few do), use it. At a minimum, set a BIOS/firmware password and enable BitLocker with a TPM – this can prevent attackers from booting into alternate modes or using bootloaders without credentials. (While not foolproof if attacker already admin with device in on-state, it adds hurdles for cold reboots into other modes.) Account and Privilege Controls: Use least-privilege for service accounts. Domain admins or IT admins should use separate accounts for day-to-day work – this helps prevent attackers from easily using high-privilege accounts to disable security. Anomaly Detection: Configure alerts for when security services stop or unexpectedly enter a disabled state. EDR management consoles often show agent status – integrate those with SIEM to alert if an agent goes offline or is uninstalled from a host outside of maintenance windows. Also monitor for system reboots into Safe Mode (event logs can reveal if the OS started in Safe Mode). Sniffing out these events gives responders a chance to react before ransomware deployment is completenews.sophos.com. Incident Response Planning: Develop an IR plan for “EDR disablement” scenarios. For instance, if an endpoint stops checking in, have a playbook to isolate that host at the network level. Assume that a lost agent could mean an active attack – a quick containment can limit damage even if one node was temporarily blinded. |
Defensive Recommendations for EDR Evasion
In light of these threats, security teams should adopt a multi-layered defense strategy. Below are strategic recommendations to bolster endpoint defenses against these evasion techniques:
Enable and Enforce Anti-Tamper Features: Turn on tamper-protection in all endpoint security tools (e.g. require admin console authorization or a password for any agent uninstall, stop, or upgrade)bleepingcomputer.com. Verify that features like Microsoft Defender’s Tamper Protection are enabled enterprise-wide. These measures ensure malware can’t simply shut off protections via standard OS interfaces.
Adopt Driver Load Controls: Implement Microsoft’s Driver Blocklist (and enable Hypervisor-Protected Code Integrity if possible) to block known vulnerable drivers from executingresearch.checkpoint.comasec.ahnlab.com. Consider using EDR solutions or OS controls that block kernel drivers which are not explicitly allowed. Regularly update these controls as new BYOVD threats emerge.
Harden Endpoint Agent Configurations: Use the most secure settings your EDR offers. For example, enable “Online/Cloud authorization” for agent updates (as in SentinelOne)halcyon.ai, disable any local admin override capabilities, and ensure agents run with highest protection modes (many have a hardened mode for critical systems). Remove or password-protect any safe boot or recovery options that could be misused.
Stay Current with Patches (EDR & OS): Keep your endpoint security software up-to-date with the latest versions. Vendors often release silent updates to address vulnerabilities (like the ESET DLL hijack fix)securelist.com. Apply these quickly. Equally, update OS components – for instance, apply Windows updates that improve driver blocking or Safe Mode protections. Timely patching closes known holes before attackers leverage them.
Limit Administrator Privileges: Employ least privilege principles. Users should not have local admin rights on workstations by default. Admin accounts should be tightly controlled (use Privileged Access Management). By reducing the availability of admin-level access, you diminish the attacker’s ability to perform actions like driver installation or service manipulationhalcyon.ai. Even if malware runs, it might lack the privileges to disable the EDR.
Monitor for Evasion Indicators: Strengthen your detection engineering to catch signs of EDR evasion. Set up alerts for mass process termination events, especially if they include security processes (could indicate a driver attack)asec.ahnlab.com. Monitor for unusual child processes of security tools or utilities (e.g., Defender’s CLI spawning unknown processes)sentinelone.com. Log and alert on any driver installations on endpoints that are not part of normal updates. Also, treat any EDR agent going offline or entering “disabled” state as a potential incident, and investigate immediately.
Improve Resilience and Response: Since no prevention is 100% foolproof, focus on resilience. For example, ensure you have endpoint isolation capabilities – if an agent reports a tamper event or stops unexpectedly, the SOC can isolate that host via network controls. Invest in endpoint backup/restoration solutions so that even if one layer (EDR) is bypassed, you can recover critical systems quickly. Regularly test your IR plan against scenarios of EDR bypass; incorporate drills where the assumption is “the endpoint agent was neutralized – now what?”.
Behavioral Analytics & Anomaly Detection: Leverage EDR/MDR solutions that use behavioral analytics to spot the outcomes of evasion. For instance, an attacker in Safe Mode still has to reboot the machine – an EDR with user behavior analytics might flag an odd timing reboot or use of
bcdeditcommands. Similarly, detect abnormal tool usage (like an admin tool launching in an unusual context). Machine learning in EDR can sometimes pick up these oddities even if the initial evasion blinds some telemetry.
In conclusion, endpoint security evasion techniques have grown more sophisticated from 2020 through 2025, but a combination of good product configuration, up-to-date threat intelligence, and vigilant monitoring can significantly blunt their impact. Security engineers should work closely with their EDR vendors to deploy available safeguards (e.g., driver blocklists, tamper-proof settings) and ensure that endpoints are not an easy target for these “living off the land” style attacks. Ultimately, awareness and preparation are key: knowing that attackers can and will try to turn your tools against you is the first step to making sure they do not succeedhalcyon.ai.
Sources: SentinelOne, Sophos, Microsoft, ESET, Kaspersky, Aon Stroz Friedberg case studies and threat researchhalcyon.aihalcyon.aisecurelist.comnews.sophos.com, as well as CISA alerts and industry reports from 2020–2025 detailing these evasion techniquesattackiq.comtechtarget.com. These references underscore the prevalence of such tactics in recent years and the importance of a robust, multi-layered defense strategy.
Reference Links – EDR Evasion Research(2020–2025)
Halcyon. (2024, January 10). Ransomware attack bypasses EDR with BYOI technique. Halcyon. https://www.halcyon.ai/blog/ransomware-attack-bypasses-edr-with-byoi-technique
Halcyon. (2024, April 1). RansomHub’s EDR-Killer shows up in Medusa, BianLian and Play attacks. Halcyon. https://www.halcyon.ai/blog/ransomhubs-edr-killer-shows-up-in-medusa-bianlian-and-play-attacks
Sophos. (2023, April 19). ‘AuKill’ EDR killer malware abuses Process Explorer driver. Sophos News. https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
Securelist. (2023, March 21). APT group ToddyCat exploits a vulnerability in ESET for DLL proxying. Securelist. https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/
SentinelOne. (2023, July 13). Living off Windows Defender: LockBit ransomware sideloads Cobalt Strike through Microsoft Security Tool. SentinelOne. https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Sophos News. https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
AttackIQ. (2023, November 1). #StopRansomware: AvosLocker Ransomware. AttackIQ. https://www.attackiq.com/2023/11/01/avoslocker-ransomware/
BleepingComputer. (2024, January 9). New “Bring Your Own Installer” EDR bypass used in ransomware attack. https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/
Check Point Research. (2025). Silent Killers: Unmasking a large-scale legacy driver exploitation campaign. https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/
AhnLab ASEC. (2024). Legacy driver exploitation through bypassing certificate verification. https://asec.ahnlab.com/en/86881/
Trend Micro. (2022). AvosLocker ransomware variant abuses driver file to disable anti-virus, scans for Log4Shell. Trend Micro Research. https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
ESET. (2025). Shifting the sands of RansomHub’s EDRKillShifter. WeLiveSecurity. https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/
TechTarget. (2024). BlackByte ransomware uses new EDR evasion technique. https://www.techtarget.com/searchsecurity/news/252525965/BlackByte-ransomware-uses-new-EDR-evasion-technique