4 - Rename Obfuscation - Part 2
4 - Rename Obfuscation - Part 2
EDR Internals – Research & Development
Module 1: EDR Fundamentals
Module 1: EDR Fundamentals
Module 2: EDR Research Methodology and Practical Analysis
Module 2: EDR Research Methodology and Practical Analysis
Module 3: Building EDR: Foundations
Module 3: Building EDR: Foundations
Module 4: Basic Kernel Driver
Module 4: Basic Kernel Driver
Module 5: Working with IRPs
Module 5: Working with IRPs
Module 6: Kernel Notifications and Callbacks
Module 6: Kernel Notifications and Callbacks
Module 8: EDR Bypass and Evasion
Module 8: EDR Bypass and Evasion
Module 9: Detection Techniques
Module 9: Detection Techniques
4 – Rename Obfuscation (Part 2)
Key concept
Renaming obfuscation extends beyond PE section names. It also applies to function names, variable names, and internal logic. Even simple renaming can meaningfully impact static scoring mechanisms in EDRs and AV engines.
Bypassing whitelist / allow-list restrictions
• Some organizations use strict application whitelisting (e.g., AppLocker allow-list mode).
• Even with strong restrictions, attackers can abuse electron-based applications such as Chrome, Teams, or VSCode to run arbitrary code.
• This technique leverages proxy execution, where a trusted application becomes the launcher of malicious logic.
• Attackers have already weaponized this method after its publication, demonstrating the practical value of the finding.
Section-name manipulation
• Renaming PE sections (e.g., .text → text1 or arbitrary names) can influence detection scores.
• Some EDRs rely on section naming conventions; altering them may lower or increase suspicion depending on the engine’s scoring model.
• Renaming alone does not break program functionality because the section name is not functionally tied to execution.
Function name and parameter obfuscation
• Renaming sensitive functions (e.g., executeShell → run) reduces the chance of signature triggers.
• While PDB files are rarely shipped with malware, development builds may unintentionally leak:
– Developer names
– Debug paths
– Internal project structure
• Ensuring release builds disable PDB generation prevents leakage and reduces static indicators.
Real-world example of poor blue-team awareness
• Organizations often underestimate how easy simple bypasses can be.
• Examples include:
– Using ftp.exe to spawn a shell (!cmd) despite CMD being blocked
– Copying system binaries to a new filename to bypass hash or path-based rules
• Demonstrates a recurring theme: defenders frequently implement naive controls without adversarial thinking.
Core takeaway
Rename obfuscation is a simple but impactful method. Even minimal changes—section names, function names, or avoiding debug artifacts—can influence static scores, bypass block rules, and reduce detection likelihood.