How LimaCharlie manages EDR avoidance

A LimaCharlie user recently reported dealing with EDR countermeasures and shared with us how LimaCharlie’s distinct approach saved the day. Apparently, the attackers went to some length to avoid detection and were removing agents for a Wazuh IDS. It would seem that the bad guys are thinking hard about how to sneak by EDR solutions and the common path is to silence the ETW and stick to .net assemblies for execution. Extensive information regarding some of the most notable EDR evasion techniques are outlined in this Reddit post.

Fortunately, for LimaCharlie users our EDR technology does not rely on Event Tracking or hooking for instrumenting our agent at all. LimaCharlie events are generated “first party” from user mode and kernel mode. LimaCharlie acts as a good citizen across all platforms and does not rely on any third party mechanisms for reporting.

As we continue to scale up and develop new capabilities we encourage our users to get active with our Slack community to stay up to date with any new developments and to learn directly from other people making use of LimaCharlie’s Security Infrastructure as a Service.

Any issues or feature requests can be directed to: limacharlie.io/user-ticket