Sherlocked Security – Endpoint Evasion & Obfuscation Testing
Test Your Endpoint Defenses by Bypassing Security Controls with Advanced Evasion Techniques
1. Statement of Work (SOW)
Service Name: Endpoint Evasion & Obfuscation Testing
Client Type: Enterprises, MSSPs, Managed Security Providers, Government, Critical Infrastructure
Service Model: Manual Penetration Testing with Evasion Tools
Compliance Coverage: NIST 800-53, CIS Controls, SOC 2, ISO 27001
Testing Types:
- Evasion Techniques Simulation
- Bypass EDR/AV/NGAV Detection
- Endpoint Detection & Response (EDR) Evasion
- Obfuscation & Encryption Methods
- Custom Payload Creation and Delivery
2. Our Approach
[Test Environment Setup] → [Payload Development] → [Evasion Technique Selection] → [Test Execution] → [Detection Evasion Testing] → [Obfuscation Validation] → [Results Analysis] → [Remediation Planning]
3. Methodology
[Kickoff & Access Approval] → [Threat Emulation Plan] → [Test Selection (AV/EDR Specific)] → [Payload Development & Testing] → [Execution & Detection Mapping] → [Reporting & Retesting]
4. Deliverables to the Client
- Evasion Test Plan: Detailed emulation of attack techniques
- Payload Development Logs: Obfuscation and evasion methods employed
- Detection Testing Report: Identification of EDR/AV evasion effectiveness
- Remediation Plan: Actionable recommendations for improving endpoint defenses
- Executive Summary: Simplified report for higher management
- Detection Gap Analysis: Analysis of detection blind spots and evasion success
- Retesting & Certification: Validation of defensive improvements
5. What We Need from You (Client Requirements)
- Access to a testing environment or staging infrastructure
- Endpoint Protection Solution details (AV/EDR/NGAV configuration)
- Sample of existing endpoint telemetry/logging data
- SOC/IT/Infra contact for troubleshooting
- Approval to test on live endpoints (if applicable)
- Access to threat intel or existing attack vectors used in the organization
6. Tools & Technology Stack
- Cobalt Strike / Brute Ratel
- Metasploit Framework
- Empire (PowerShell-based attack framework)
- Custom Evasion Payloads
- Obfuscation Tools (Shellter, Veil-Evasion)
- Fileless payload delivery tools
- EDR/AV Analysis & Bypass Scripts
- Custom Tools / Scripts
7. Engagement Lifecycle
1. Initial Discovery Call → 2. Test Planning & Setup → 3. Evasion Simulation (1-2 Weeks) → 4. Detection Mapping & Analysis → 5. Draft Report + SOC Review → 6. Final Report + Remediation Plan → 7. Retesting & Final Certification
8. Why Sherlocked Security?
| Feature | Sherlocked Advantage |
|---|---|
| Advanced Evasion Techniques | Test evasion against next-gen AV/EDR systems |
| Custom Payload Development | Tailored payloads that bypass multiple defenses |
| Realistic Attack Simulation | Simulate real-world techniques for more accurate defense validation |
| Detection & Evasion Mapping | Real-time visibility into your endpoint defenses |
| Ongoing Support | Expert remediation advice and retesting at a reduced cost |
| Retesting Certification | Final security assessment post-remediation |
9. Real-World Case Studies
AV Evasion for Financial Institution
Objective: Test the evasion of financial institution’s endpoint defenses using advanced attack techniques.
Outcome: Successfully bypassed two major AV systems and maintained stealth on endpoints for over 72 hours.
Fix: Implemented additional heuristic analysis and behavioral detection rules, improving detection efficacy by 30%.
EDR Evasion for Healthcare Provider
Client: National healthcare service provider
Scenario: Simulated targeted attack bypassing the EDR layer with custom payloads.
Findings: EDR failed to detect fileless execution techniques.
Result: EDR configuration updated to detect PowerShell-based attacks, additional monitoring implemented.
10. SOP – Standard Operating Procedure
- Kickoff call and review of endpoint security controls
- Define scope (AV/EDR/NGAV targets)
- Payload development and customization for specific EDR systems
- Test evasion techniques against security controls
- Analyze detection success rates and timing
- Generate report with findings and improvement suggestions
- Collaborate with SOC for feedback and gap identification
- Retest and validate improvements
- Deliver final security certificate post-fix
11. Evasion Testing Checklist
1. AV/EDR/NGAV Bypass
- Test signature-based detection avoidance (T1068)
- Test heuristics-based detection avoidance (T1083)
- Evasion via fileless malware techniques (PowerShell, WMI, etc.)
- Obfuscate shellcode using various tools (Veil-Evasion, Shellter)
- Reverse engineer or modify binaries to avoid detection
- Test AV/EDR’s response to custom payloads
2. Payload Development & Delivery
- Craft custom payloads to avoid detection (T1203, T1106)
- Test bypass techniques for different file types (executable, DLL, script)
- Evaluate network-based delivery methods (HTTP, DNS tunneling)
- Create encrypted payloads and test decryption bypass
- Ensure payload persistence across reboots (T1100)
3. Endpoint Evasion Techniques
- Use living-off-the-land binaries (LOLbins)
- Modify process memory (process injection)
- Test evasive techniques against native security controls
- Evade PowerShell detection using encoded scripts
- Use fileless payloads to maintain stealth
- Attempt registry and scheduled task persistence (T1053, T1071)
4. Detection & Response Testing
- Analyze endpoint detection logs for successful bypass events
- Validate SOC’s ability to correlate and detect evasion techniques
- Test detection systems’ response time for various evasion methods
- Document failed detection events and gaps
- Simulate lateral movement while maintaining evasion techniques
5. Reporting & Remediation
- Detail each evasion method and success rate
- Map techniques to MITRE ATT&CK framework (T1070, T1059)
- Provide remediation steps for AV/EDR bypass
- Recommend detection rule tuning for evasion-proofing
- Retest after remediation and certification