Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems 9781718503359, 9781718503342

Table of contents :
Cover
Praise for Evading EDR
Title Page
Copyright
Dedication
About the Author and Technical Reviewer
Acknowledgments
Introduction
Who This Book Is For
What Is in This Book
Prerequisite Knowledge
Setting Up
1. EDR-chitecture
The Components of an EDR
The Agent
Telemetry
Sensors
Detections
The Challenges of EDR Evasion
Identifying Malicious Activity
Considering Context
Applying Brittle vs. Robust Detections
Exploring Elastic Detection Rules
Agent Design
Basic
Intermediate
Advanced
Types of Bypasses
Linking Evasion Techniques: An Example Attack
Conclusion
2. Function-Hooking DLLs
How Function Hooking Works
Implementing the Hooks with Microsoft Detours
Injecting the DLL
Detecting Function Hooks
Evading Function Hooks
Making Direct Syscalls
Dynamically Resolving Syscall Numbers
Remapping ntdll.dll
Conclusion
3. Process- and Thread-Creation Notifications
How Notification Callback Routines Work
Process Notifications
Registering a Process Callback Routine
Viewing the Callback Routines Registered on a System
Collecting Information from Process Creation
Thread Notifications
Registering a Thread Callback Routine
Detecting Remote Thread Creation
Evading Process- and Thread-Creation Callbacks
Command Line Tampering
Parent Process ID Spoofing
Process-Image Modification
A Process Injection Case Study: fork&run
Conclusion
4. Object Notifications
How Object Notifications Work
Registering a New Callback
Monitoring New and Duplicate Process-Handle Requests
Detecting Objects an EDR Is Monitoring
Detecting a Driver’s Actions Once Triggered
Evading Object Callbacks During an Authentication Attack
Performing Handle Theft
Racing the Callback Routine
Conclusion
5. Image-Load and Registry Notifications
How Image-Load Notifications Work
Registering a Callback Routine
Viewing the Callback Routines Registered on a System
Collecting Information from Image Loads
Evading Image-Load Notifications with Tunneling Tools
Triggering KAPC Injection with Image-Load Notifications
Understanding KAPC Injection
Getting a Pointer to the DLL-Loading Function
Preparing to Inject
Creating the KAPC Structure
Queueing the APC
Preventing KAPC Injection
How Registry Notifications Work
Registering a Registry Notification
Mitigating Performance Challenges
Evading Registry Callbacks
Evading EDR Drivers with Callback Entry Overwrites
Conclusion
6. Filesystem Minifilter Drivers
Legacy Filters and the Filter Manager
Minifilter Architecture
Writing a Minifilter
Beginning the Registration
Defining Pre-operation Callbacks
Defining Post-operation Callbacks
Defining Optional Callbacks
Activating the Minifilter
Managing a Minifilter
Detecting Adversary Tradecraft with Minifilters
File Detections
Named Pipe Detections
Evading Minifilters
Unloading
Prevention
Interference
Conclusion
7. Network Filter Drivers
Network-Based vs. Endpoint-Based Monitoring
Legacy Network Driver Interface Specification Drivers
The Windows Filtering Platform
The Filter Engine
Filter Arbitration
Callout Drivers
Implementing a WFP Callout Driver
Opening a Filter Engine Session
Registering Callouts
Adding the Callout Function to the Filter Engine
Adding a New Filter Object
Assigning Weights and Sublayers
Adding a Security Descriptor
Detecting Adversary Tradecraft with Network Filters
The Basic Network Data
The Metadata
The Layer Data
Evading Network Filters
Conclusion
8. Event Tracing for Windows
Architecture
Providers
Controllers
Consumers
Creating a Consumer to Identify Malicious .NET Assemblies
Creating a Trace Session
Enabling Providers
Starting the Trace Session
Stopping the Trace Session
Processing Events
Testing the Consumer
Evading ETW-Based Detections
Patching
Configuration Modification
Trace-Session Tampering
Trace-Session Interference
Bypassing a .NET Consumer
Conclusion
9. Scanners
A Brief History of Antivirus Scanning
Scanning Models
On Demand
On Access
Rulesets
Case Study: YARA
Understanding YARA Rules
Reverse Engineering Rules
Evading Scanner Signatures
Conclusion
10. Antimalware Scan Interface
The Challenge of Script-Based Malware
How AMSI Works
Exploring PowerShell’s AMSI Implementation
Understanding AMSI Under the Hood
Implementing a Custom AMSI Provider
Evading AMSI
String Obfuscation
AMSI Patching
A Patchless AMSI Bypass
Conclusion
11. Early Launch Antimalware Drivers
How ELAM Drivers Protect the Boot Process
Developing ELAM Drivers
Registering Callback Routines
Applying Detection Logic
An Example Driver: Preventing Mimidrv from Loading
Loading an ELAM Driver
Signing the Driver
Setting the Load Order
Evading ELAM Drivers
The Unfortunate Reality
Conclusion
12. Microsoft-Windows-Threat-Intelligence
Reverse Engineering the Provider
Checking That the Provider and Event Are Enabled
Determining the Events Emitted
Determining the Source of an Event
Using Neo4j to Discover the Sensor Triggers
Getting a Dataset to Work with Neo4j
Viewing the Call Trees
Consuming EtwTi Events
Understanding Protected Processes
Creating a Protected Process
Processing Events
Evading EtwTi
Coexistence
Trace-Handle Overwriting
Conclusion
13. Case Study: A Detection-Aware Attack
The Rules of Engagement
Initial Access
Writing the Payload
Delivering the Payload
Executing the Payload
Establishing Command and Control
Evading the Memory Scanner
Persistence
Reconnaissance
Privilege Escalation
Getting a List of Frequent Users
Hijacking a File Handler
Lateral Movement
Finding a Target
Enumerating Shares
File Exfiltration
Conclusion
Appendix. Auxiliary Sources
Alternative Hooking Methods
RPC Filters
Hypervisors
How Hypervisors Work
Security Use Cases
Evading the Hypervisor
Index