BYPASSING EDR COMBINED WITH SIEM: ANALYSIS OF ATTACK CONCEALMENT TECHNIQUES IN LOGS – A STUDY OF ADVERSARIAL TACTICS FOR DETECTION EVASION
DOI:
https://doi.org/10.28925/2663-4023.2025.29.865Keywords:
Endpoint Detection and Response, Security Information and Event Management, detection evasion, log manipulation, slow attacks, event flooding, Living-off-the-Land, code obfuscation, unhooking, kernel-level attacks, DKOM, BIOS/UEFI, behavioral analytics, cross-platform telemetry, correlation, cyber threats, PowerShell, WMIC, CertUtilAbstract
This article addresses a highly relevant cybersecurity issue — methods for bypassing Endpoint Detection and Response (EDR) systems in combination with Security Information and Event Management (SIEM) platforms, which are key components of modern cyber defense infrastructure. Despite the continuous evolution of these technologies, attackers develop tactics to evade detection and maintain persistence in compromised systems. The paper presents a classification of evasion techniques, including log manipulation, event spoofing, disabling logging services, and low-frequency attacks that remain below alert thresholds.
Special attention is given to tactics based on the "Living-off-the-Land" (LotL) concept — leveraging built-in operating system tools (e.g., PowerShell, WMIC, CertUtil) to execute malicious code with minimal indicators of compromise. Obfuscation techniques such as junk code injection, encryption, recompilation, and the use of custom loaders are analyzed for their ability to evade both signature-based and heuristic detection engines.
The paper also explores kernel-level attack methods, including Direct Kernel Object Manipulation (DKOM), DLL unhooking, and firmware-level intrusions via UEFI/BIOS modifications, which allow attackers to operate outside the monitored OS environment. Furthermore, the study examines SIEM evasion methods such as log wiping, timestamp tampering, sensor overload, and alert flooding — all of which aim to degrade analyst effectiveness and reduce detection fidelity.
Real-world examples are provided using popular platforms such as Elastic, Splunk, CrowdStrike, and SentinelOne. The authors conclude by emphasizing the importance of behavioral analytics, long-term correlation, cross-platform telemetry, and machine learning models as essential strategies for countering sophisticated evasion techniques and ensuring threat visibility in hybrid IT environments.
Downloads
References
Whisper2Shout – Unhooking Technique. (n.d.). https://www.secforce.com/blog/whisper2shout-unhooking-technique/
First UEFI Rootkit Detected in the Wild. (n.d.). https://eset.ua/download_files/marketing/Releases/lojax_
whitepaper.pdf
Turla Rootkits. (n.d.). https://uk.wikipedia.org/wiki/Turla_
Junk Code Insertion. (n.d.). https://www.researchgate.net/figure/Function-Splitting_fig3_371581054
Coccinelle Basic Documentation. (n.d.). https://docs.zephyrproject.org/latest/develop/tools/coccinelle.html
Coccinelle Basic Documentation. (n.d.). https://docs.zephyrproject.org/latest/develop/tools/coccinelle.html
Splunk Documentation. (n.d.). https://docs.splunk.com/Documentation/Splunk/9.4.1/Overview/About
SplunkEnterprise
Elastic Cloud Documentation. (n.d.). https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/cloud-hosted
Computrace BIOS Trojan. (n.d.). https://novikov.ua/bios-%D0%BD%D1%8B%D0%B9-%D1%82%D1%80%D0%BE%D1%8F%D0%BD-%D0%BE%D1%82-absolute-software-computrace/
DLL Unhooking. (n.d.). https://unprotect.it/technique/dll-unhooking/
SOC Burnout. (n.d.). https://medium.com/infosec-ninja/sos-for-your-soc-how-to-prevent-burnout-and-boost-retention-7c053b5b71ce
SOC Burnout. (n.d.). https://medium.com/infosec-ninja/sos-for-your-soc-how-to-prevent-burnout-and-boost-retention-7c053b5b71ce
Exploring the Hidden Switches of Certutil and Certreq. (n.d.). https://www.encryptionconsulting.com/exploring-the-hidden-switches-of-certutil-and-certreq/
WMIC Guide. (n.d.). https://learn.microsoft.com/ru-ru/windows/win32/wmisdk/wmic
HookChain: A New Perspective for Bypassing EDR Solutions. (n.d.). https://arxiv.org/abs/2404.16856
Defeating EDR-Evading Malware with Memory Forensics. (n.d.). https://www.volexity.com/wp-content/uploads/2024/08/Defcon24_EDR_Evasion_Detection_White-Paper_Andrew-Case.pdf
AV Bypass Techniques through an EDR Lens. (n.d.). https://blog.f-secure.com/av-bypass-techniques-through-an-edr-lens/
Evolution of Endpoint Detection and Response (EDR) in Cyber Security: A Comprehensive Review. (n.d.). https://www.e3s-conferences.org/articles/e3sconf/abs/2024/86/e3sconf_rawmu2024_01006/
Effectiveness of Endpoint Detection and Response Solutions in Combating Modern Cyber Threats. (n.d.). https://polarpublications.com/index.php/JACSTIC/article/view/1
Bypassing Antivirus Detection: Old-School Malware, New Tricks. (n.d.). https://arxiv.org/abs/2305.04149
XDR: The Evolution of Endpoint Security Solutions – Superior Extensibility and Analytics to Satisfy the Organizational Needs of the Future. (n.d.). https://www.researchgate.net/publication/354190628_XDR
_The_Evolution_of_Endpoint_Security_Solutions_-Superior_Extensibility_and_Analytics_to_Satisfy_
the_Organizational_Needs_of_the_Future
A Taxonomy of Software Obfuscation Techniques for Layered Security. (n.d.). https://cybersecurity.springeropen.com/articles/10.1186/s42400-020-00049-3
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Іван Опірський, Тарас Дзьобан, Святослав Василишин
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
