Evading EDR

Evading EDR

by Matt Hand
Released October 2023
Publisher(s): No Starch Press
ISBN: 9781718503342

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Nearly every enterprise uses an Endpoint Detection and Response (EDR) agent to monitor the devices on their network for signs of an attack. But that doesn't mean security defenders grasp how these systems actually work. This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. Chapter by chapter, you’ll learn that EDR is not a magical black box—it’s just a complex software application built around a few easy-to-understand components.

The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.

Publisher resources

View/Submit Errata

Table of contents

  1. Praise for Evading EDR
  2. Title Page
  3. Copyright
  4. Dedication
  5. About the Author and Technical Reviewer
  6. Acknowledgments
  7. Introduction
    1. Who This Book Is For
    2. What Is in This Book
    3. Prerequisite Knowledge
    4. Setting Up
  8. 1. EDR-chitecture
    1. The Components of an EDR
      1. The Agent
      2. Telemetry
      3. Sensors
      4. Detections
    2. The Challenges of EDR Evasion
    3. Identifying Malicious Activity
      1. Considering Context
      2. Applying Brittle vs. Robust Detections
      3. Exploring Elastic Detection Rules
    4. Agent Design
      1. Basic
      2. Intermediate
      3. Advanced
    5. Types of Bypasses
    6. Linking Evasion Techniques: An Example Attack
    7. Conclusion
  9. 2. Function-Hooking DLLs
    1. How Function Hooking Works
      1. Implementing the Hooks with Microsoft Detours
      2. Injecting the DLL
    2. Detecting Function Hooks
    3. Evading Function Hooks
      1. Making Direct Syscalls
      2. Dynamically Resolving Syscall Numbers
      3. Remapping ntdll.dll
    4. Conclusion
  10. 3. Process- and Thread-Creation Notifications
    1. How Notification Callback Routines Work
    2. Process Notifications
      1. Registering a Process Callback Routine
      2. Viewing the Callback Routines Registered on a System
      3. Collecting Information from Process Creation
    3. Thread Notifications
      1. Registering a Thread Callback Routine
      2. Detecting Remote Thread Creation
    4. Evading Process- and Thread-Creation Callbacks
      1. Command Line Tampering
      2. Parent Process ID Spoofing
      3. Process-Image Modification
    5. A Process Injection Case Study: fork&run
    6. Conclusion
  11. 4. Object Notifications
    1. How Object Notifications Work
      1. Registering a New Callback
      2. Monitoring New and Duplicate Process-Handle Requests
    2. Detecting Objects an EDR Is Monitoring
    3. Detecting a Driver’s Actions Once Triggered
    4. Evading Object Callbacks During an Authentication Attack
      1. Performing Handle Theft
      2. Racing the Callback Routine
    5. Conclusion
  12. 5. Image-Load and Registry Notifications
    1. How Image-Load Notifications Work
      1. Registering a Callback Routine
      2. Viewing the Callback Routines Registered on a System
      3. Collecting Information from Image Loads
    2. Evading Image-Load Notifications with Tunneling Tools
    3. Triggering KAPC Injection with Image-Load Notifications
      1. Understanding KAPC Injection
      2. Getting a Pointer to the DLL-Loading Function
      3. Preparing to Inject
      4. Creating the KAPC Structure
      5. Queueing the APC
    4. Preventing KAPC Injection
    5. How Registry Notifications Work
      1. Registering a Registry Notification
      2. Mitigating Performance Challenges
    6. Evading Registry Callbacks
    7. Evading EDR Drivers with Callback Entry Overwrites
    8. Conclusion
  13. 6. Filesystem Minifilter Drivers
    1. Legacy Filters and the Filter Manager
    2. Minifilter Architecture
    3. Writing a Minifilter
      1. Beginning the Registration
      2. Defining Pre-operation Callbacks
      3. Defining Post-operation Callbacks
      4. Defining Optional Callbacks
      5. Activating the Minifilter
    4. Managing a Minifilter
    5. Detecting Adversary Tradecraft with Minifilters
      1. File Detections
      2. Named Pipe Detections
    6. Evading Minifilters
      1. Unloading
      2. Prevention
      3. Interference
    7. Conclusion
  14. 7. Network Filter Drivers
    1. Network-Based vs. Endpoint-Based Monitoring
    2. Legacy Network Driver Interface Specification Drivers
    3. The Windows Filtering Platform
      1. The Filter Engine
      2. Filter Arbitration
      3. Callout Drivers
    4. Implementing a WFP Callout Driver
      1. Opening a Filter Engine Session
      2. Registering Callouts
      3. Adding the Callout Function to the Filter Engine
      4. Adding a New Filter Object
      5. Assigning Weights and Sublayers
      6. Adding a Security Descriptor
    5. Detecting Adversary Tradecraft with Network Filters
      1. The Basic Network Data
      2. The Metadata
      3. The Layer Data
    6. Evading Network Filters
    7. Conclusion
  15. 8. Event Tracing for Windows
    1. Architecture
      1. Providers
      2. Controllers
      3. Consumers
    2. Creating a Consumer to Identify Malicious .NET Assemblies
      1. Creating a Trace Session
      2. Enabling Providers
      3. Starting the Trace Session
      4. Stopping the Trace Session
      5. Processing Events
      6. Testing the Consumer
    3. Evading ETW-Based Detections
      1. Patching
      2. Configuration Modification
      3. Trace-Session Tampering
      4. Trace-Session Interference
    4. Bypassing a .NET Consumer
    5. Conclusion
  16. 9. Scanners
    1. A Brief History of Antivirus Scanning
    2. Scanning Models
      1. On Demand
      2. On Access
    3. Rulesets
    4. Case Study: YARA
      1. Understanding YARA Rules
      2. Reverse Engineering Rules
    5. Evading Scanner Signatures
    6. Conclusion
  17. 10. Antimalware Scan Interface
    1. The Challenge of Script-Based Malware
    2. How AMSI Works
      1. Exploring PowerShell’s AMSI Implementation
      2. Understanding AMSI Under the Hood
      3. Implementing a Custom AMSI Provider
    3. Evading AMSI
      1. String Obfuscation
      2. AMSI Patching
      3. A Patchless AMSI Bypass
    4. Conclusion
  18. 11. Early Launch Antimalware Drivers
    1. How ELAM Drivers Protect the Boot Process
    2. Developing ELAM Drivers
      1. Registering Callback Routines
      2. Applying Detection Logic
    3. An Example Driver: Preventing Mimidrv from Loading
    4. Loading an ELAM Driver
      1. Signing the Driver
      2. Setting the Load Order
    5. Evading ELAM Drivers
    6. The Unfortunate Reality
    7. Conclusion
  19. 12. Microsoft-Windows-Threat-Intelligence
    1. Reverse Engineering the Provider
      1. Checking That the Provider and Event Are Enabled
      2. Determining the Events Emitted
    2. Determining the Source of an Event
      1. Using Neo4j to Discover the Sensor Triggers
      2. Getting a Dataset to Work with Neo4j
      3. Viewing the Call Trees
    3. Consuming EtwTi Events
      1. Understanding Protected Processes
      2. Creating a Protected Process
      3. Processing Events
    4. Evading EtwTi
      1. Coexistence
      2. Trace-Handle Overwriting
    5. Conclusion
  20. 13. Case Study: A Detection-Aware Attack
    1. The Rules of Engagement
    2. Initial Access
      1. Writing the Payload
      2. Delivering the Payload
      3. Executing the Payload
      4. Establishing Command and Control
      5. Evading the Memory Scanner
    3. Persistence
    4. Reconnaissance
    5. Privilege Escalation
      1. Getting a List of Frequent Users
      2. Hijacking a File Handler
    6. Lateral Movement
      1. Finding a Target
      2. Enumerating Shares
    7. File Exfiltration
    8. Conclusion
  21. Appendix. Auxiliary Sources
    1. Alternative Hooking Methods
    2. RPC Filters
    3. Hypervisors
      1. How Hypervisors Work
      2. Security Use Cases
      3. Evading the Hypervisor
  22. Index

Product information

  • Title: Evading EDR
  • Author(s): Matt Hand
  • Release date: October 2023
  • Publisher(s): No Starch Press
  • ISBN: 9781718503342