BYPASSING EDR COMBINED WITH SIEM: ANALYSIS OF ATTACK CONCEALMENT TECHNIQUES IN LOGS – A STUDY OF ADVERSARIAL TACTICS FOR DETECTION EVASION
BYPASSING EDR COMBINED WITH SIEM: ANALYSIS OF ATTACK CONCEALMENT TECHNIQUES IN LOGS – A STUDY OF ADVERSARIAL TACTICS FOR DETECTION EVASION
I. Opirskyy,Taras Dzoban,Sviatoslav Vasylyshyn
TLDR
The paper presents a classification of evasion techniques, including log manipulation, event spoofing, disabling logging services, and low-frequency attacks that remain below alert thresholds, and emphasizes the importance of behavioral analytics, long-term correlation, cross-platform telemetry, and machine learning models for countering sophisticated evasion techniques.
Abstract
This article addresses a highly relevant cybersecurity issue — methods for bypassing Endpoint Detection and Response (EDR) systems in combination with Security Information and Event Management (SIEM) platforms, which are key components of modern cyber defense infrastructure. Despite the continuous evolution of these technologies, attackers develop tactics to evade detection and maintain persistence in compromised systems. The paper presents a classification of evasion techniques, including log manipulation, event spoofing, disabling logging services, and low-frequency attacks that remain below alert thresholds.
Special attention is given to tactics based on the "Living-off-the-Land" (LotL) concept — leveraging built-in operating system tools (e.g., PowerShell, WMIC, CertUtil) to execute malicious code with minimal indicators of compromise. Obfuscation techniques such as junk code injection, encryption, recompilation, and the use of custom loaders are analyzed for their ability to evade both signature-based and heuristic detection engines.
The paper also explores kernel-level attack methods, including Direct Kernel Object Manipulation (DKOM), DLL unhooking, and firmware-level intrusions via UEFI/BIOS modifications, which allow attackers to operate outside the monitored OS environment. Furthermore, the study examines SIEM evasion methods such as log wiping, timestamp tampering, sensor overload, and alert flooding — all of which aim to degrade analyst effectiveness and reduce detection fidelity.
Real-world examples are provided using popular platforms such as Elastic, Splunk, CrowdStrike, and SentinelOne. The authors conclude by emphasizing the importance of behavioral analytics, long-term correlation, cross-platform telemetry, and machine learning models as essential strategies for countering sophisticated evasion techniques and ensuring threat visibility in hybrid IT environments.