Table of contents : Cover Praise for Evading EDR Title Page Copyright Dedication About the Author About the Technical Reviewer Brief Contents Contents in Detail Acknowledgments Introduction Who This Book Is For What Is in This Book Prerequisite Knowledge Setting Up 1. EDR-Chitecture The Components of an EDR The Agent Telemetry Sensors Detections The Challenges of EDR Evasion Identifying Malicious Activity Considering Context Applying Brittle vs. Robust Detections Exploring Elastic Detection Rules Agent Design Basic Intermediate Advanced Types of Bypasses Linking Evasion Techniques: An Example Attack Conclusion 2. Function-Hooking DLLs How Function Hooking Works Implementing the Hooks with Microsoft Detours Injecting the DLL Detecting Function Hooks Evading Function Hooks Making Direct Syscalls Dynamically Resolving Syscall Numbers Remapping ntdll.dll Conclusion 3. Process- and Thread-Creation Notifications How Notification Callback Routines Work Process Notifications Registering a Process Callback Routine Viewing the Callback Routines Registered on a System Collecting Information from Process Creation Thread Notifications Registering a Thread Callback Routine Detecting Remote Thread Creation Evading Process- and Thread-Creation Callbacks Command Line Tampering Parent Process ID Spoofing Process-Image Modification A Process Injection Case Study: fork&run Conclusion 4. Object Notifications How Object Notifications Work Registering a New Callback Monitoring New and Duplicate Process-Handle Requests Detecting Objects an EDR Is Monitoring Detecting a Driver’s Actions Once Triggered Evading Object Callbacks During an Authentication Attack Performing Handle Theft Racing the Callback Routine Conclusion 5. Image-Load and Registry Notifications How Image-Load Notifications Work Registering a Callback Routine Viewing the Callback Routines Registered on a System Collecting Information from Image Loads Evading Image-Load Notifications with Tunneling Tools Triggering KAPC Injection with Image-Load Notifications Understanding KAPC Injection Getting a Pointer to the DLL-Loading Function Preparing to Inject Creating the KAPC Structure Queueing the APC Preventing KAPC Injection How Registry Notifications Work Registering a Registry Notification Mitigating Performance Challenges Evading Registry Callbacks Evading EDR Drivers with Callback Entry Overwrites Conclusion 6. Filesystem Minifilter Drivers Legacy Filters and the Filter Manager Minifilter Architecture Writing a Minifilter Beginning the Registration Defining Pre-operation Callbacks Defining Post-operation Callbacks Defining Optional Callbacks Activating the Minifilter Managing a Minifilter Detecting Adversary Tradecraft with Minifilters File Detections Named Pipe Detections Evading Minifilters Unloading Prevention Interference Conclusion 7. Network Filter Drivers Network-Based vs. Endpoint-Based Monitoring Legacy Network Driver Interface Specification Drivers The Windows Filtering Platform The Filter Engine Filter Arbitration Callout Drivers Implementing a WFP Callout Driver Opening a Filter Engine Session Registering Callouts Adding the Callout Function to the Filter Engine Adding a New Filter Object Assigning Weights and Sublayers Adding a Security Descriptor Detecting Adversary Tradecraft with Network Filters The Basic Network Data The Metadata The Layer Data Evading Network Filters Conclusion 8. Event Tracing for Windows Architecture Providers Controllers Consumers Creating a Consumer to Identify Malicious .NET Assemblies Creating a Trace Session Enabling Providers Starting the Trace Session Stopping the Trace Session Processing Events Testing the Consumer Evading ETW-Based Detections Patching Configuration Modification Trace-Session Tampering Trace-Session Interference Bypassing a .NET Consumer Conclusion 9. Scanners A Brief History of Antivirus Scanning Scanning Models On Demand On Access Rulesets Case Study: YARA Understanding YARA Rules Reverse Engineering Rules Evading Scanner Signatures Conclusion 10. Antimalware Scan Interface The Challenge of Script-Based Malware How AMSI Works Exploring PowerShell’s AMSI Implementation Understanding AMSI Under the Hood Implementing a Custom AMSI Provider Evading AMSI String Obfuscation AMSI Patching A Patchless AMSI Bypass Conclusion 11. Early Launch Antimalware Drivers How ELAM Drivers Protect the Boot Process Developing ELAM Drivers Registering Callback Routines Applying Detection Logic An Example Driver: Preventing Mimidrv from Loading Loading an ELAM Driver Signing the Driver Setting the Load Order Evading ELAM Drivers The Unfortunate Reality Conclusion 12. Microsoft-Windows-Threat-Intelligence Reverse Engineering the Provider Checking That the Provider and Event Are Enabled Determining the Events Emitted Determining the Source of an Event Using Neo4j to Discover the Sensor Triggers Getting a Dataset to Work with Neo4j Viewing the Call Trees Consuming EtwTi Events Understanding Protected Processes Creating a Protected Process Processing Events Evading EtwTi Coexistence Trace-Handle Overwriting Conclusion 13. Case Study: A Detection-Aware Attack The Rules of Engagement Initial Access Writing the Payload Delivering the Payload Executing the Payload Establishing Command and Control Evading the Memory Scanner Persistence Reconnaissance Privilege Escalation Getting a List of Frequent Users Hijacking a File Handler Lateral Movement Finding a Target Enumerating Shares File Exfiltration Conclusion Appendix:. Auxiliary Sources Alternative Hooking Methods RPC Filters Hypervisors How Hypervisors Work Security Use Cases Evading the Hypervisor Index Back Cover