Turul's Implant Generation
Last updated
Last updated
The generation of implants in Turul is much more sophisticated than simply specifying values in advance, such as the delay of the agent or an obfuscation technique.
Each implant is created using an alpha version of the MalwareGAN.
Upon submission, the process of generating your implant typically takes between 5 to 15 seconds and makes a call to a remote API for this process to happen.
Currenlty the MalwareGAN is not working against the specific EDR that you are seeking to bypass, which while the aim (funding / budget / resources allowing), but rather taking some assumptions around the clustering and classification algorithms in play and exploiting the limitations of such an approach from the developers of these EDRs.
In order to present some conceptual information related to how we actually bypass the EDRs the following graphic serves to provide an overview of the some of the components of an EDR.
What is an important distinction to make, is that many attacks will focus on the various different components themselves.
For example: encryption to prevent the static scanner, or evading hooks that get loaded into processes by performing native api calls, and so on an so forth.
Turul's focus is on confusing the ML model once all the datapoints have been collected by the various sensor services and are fed into the ML model / agent service. We do this by ensuring that our binary and its actions do not reach a threshold (we will work with more precision per EDR in the future) where the EDR limits actions based on its training.
Keep checking back as we continue to develop our knowledge and capability against EDRs ML models across this table. You can see videos below the graphic of each EDR that we have and are evading this way. Given the focus here has been more on Evasion and are focused on certain aspects of the kill chain, some aspects are still in development (cmd.exe pop up, lack of Excel data populated in sheets etc but highlights our working methodologies).
MICROSOFT E5 APT and CROWDSTRIKE FALCON PARALLEL EVASION:
SOPHOS EDR EVASION:
KASPERSKY ENDPOINT SECURITY EVASION:
TREND MICRO EDR EVASION: