Anatomy of Stealth

EDR is not a silver bullet — it’s a hurdle that attackers increasingly expect to clear.

Many organizations equate a lack of endpoint alerts with a lack of risk. However, that assumption is outdated.

Endpoint detection and response (EDR) remains a critical first line of defense, monitoring individual devices via agents reporting what’s coming, going, who’s running what, and what changes are being made — but attackers are developing techniques to bypass EDR platforms.

If attackers disable or bypass the endpoint agent, they effectively turn off the security cameras. This is often the "holy grail" for a sophisticated hacker because it grants them the freedom to operate without a digital paper trail. 

• Evade: They can run malicious scripts and tools that would normally be blocked, as there is no "behavioral engine" left to report them.
• Expand: They can use the compromised machine as a "ghost base" to scan your network and jump to other computers without being tracked.
• Exfiltrate: They can pack up and ship out sensitive data without triggering any "suspicious upload" alerts.
• Execute: They can deploy ransomware across the entire network at once. Since the EDR's "auto-containment" is dead, nothing is there to stop the encryption process.

With this approach, attackers cut off an organization’s line of sight and compromise the entire security stack. 

The Commoditization of EDR Evasion

EDR evasion is no longer a speciality skill. It’s a commodity. A thriving underground market for automated EDR-evasion tools and evasion-as-a-service now enables even low-skilled attackers to bypass top-tier endpoint defenses at the push of a button.

Techniques that were once the domain of sophisticated, well-funded nation-state actors are now available to anyone via GitHub:

• Red-teaming tools are published openly and attackers repurpose them for real-world intrusions.
• Evasion is built into published, standardized frameworks that are published and easy to deploy.
• AI makes it easy for low-skill attackers to rewrite malware so that it bypasses signature-based detection.

The result is an industrialized market for evasion tooling — one that’s streamlined, inexpensive, and broadly accessible. 

The Cost of EDR Evasion

The impact is visible across some of the most damaging breaches of the past several years. In healthcare and gaming environments, for example, Scattered Spider installed a legitimate, but vulnerable signed driver to gain kernel-level access, unregister EDR security callbacks, and blind endpoint agents. 

In another case, ALPHV/BlackCat used stolen credentials to disable Change Healthcare’s endpoint defenses. Attackers then spent nine days moving laterally, exfiltrating 6TB of data, and extorting a $22 million ransom.

In each of these instances, the threat actors were able to shift their operations to the network – concealing their activities as they mapped the environment, harvested credentials, moved laterally, established persistent command-and-control that mimicked legitimate traffic, exfiltrated sensitive data, and staged ransomware. 

Combat EDR Evasion on the Network

Once attackers slip past EDR, mean time to detect (MTTD) stretches into days, weeks, months, or longer, giving adversaries ample time to identify and exfiltrate sensitive data. What begins as a localized compromise can quickly escalate into a full-scale breach, resulting in measurable damage.

To catch these attacks, detection must occur where the activity is still visible: on the network. Raw network traffic provides an immutable source of evidence. Attackers can disable agents, but they cannot delete or alter how their behavior appears on the network. 

With network visibility, security teams can detect sophisticated behavioral anomalies even when traditional endpoint agents are bypassed or blinded.

Once inside, attackers rely on encryption and legitimate protocols to hide.

• Malicious commands resemble routine web requests.
• Exfiltration blends into normal file transfers.
• Lateral movement uses the same protocols employees rely on every day.

Detecting this activity requires capabilities that operate independently of the endpoint: decryption to expose encrypted traffic, protocol-aware analysis to identify abuse, and full packet capture to reconstruct attacker movement.

When EDR fails, network detection and response (NDR) is here to unmask the attack.

To learn more, read Network Detection and Response: How RevealX Detects Stealthy Threats.