book

Evading EDR

Name: Evading EDR
Author: Matt Hand
ISBN: 9781718503342

by Matt Hand

October 2023

Intermediate to advanced

312 pages

8h 26m

English

No Starch Press

Read now

Unlock full access

Praise for Evading EDR
Title Page
Copyright
Dedication
About the Author and Technical Reviewer
Acknowledgments
Introduction
Who This Book Is ForWhat Is in This BookPrerequisite KnowledgeSetting Up
1. EDR-chitecture
The Components of an EDRThe AgentTelemetrySensorsDetectionsThe Challenges of EDR EvasionIdentifying Malicious ActivityConsidering ContextApplying Brittle vs. Robust DetectionsExploring Elastic Detection RulesAgent DesignBasicIntermediateAdvancedTypes of BypassesLinking Evasion Techniques: An Example AttackConclusion
2. Function-Hooking DLLs
How Function Hooking WorksImplementing the Hooks with Microsoft DetoursInjecting the DLLDetecting Function HooksEvading Function HooksMaking Direct SyscallsDynamically Resolving Syscall NumbersRemapping ntdll.dllConclusion
3. Process- and Thread-Creation Notifications
How Notification Callback Routines WorkProcess NotificationsRegistering a Process Callback RoutineViewing the Callback Routines Registered on a SystemCollecting Information from Process CreationThread NotificationsRegistering a Thread Callback RoutineDetecting Remote Thread CreationEvading Process- and Thread-Creation CallbacksCommand Line TamperingParent Process ID SpoofingProcess-Image ModificationA Process Injection Case Study: fork&runConclusion

4. Object Notifications
How Object Notifications WorkRegistering a New CallbackMonitoring New and Duplicate Process-Handle RequestsDetecting Objects an EDR Is MonitoringDetecting a Driver’s Actions Once TriggeredEvading Object Callbacks During an Authentication AttackPerforming Handle TheftRacing the Callback RoutineConclusion
5. Image-Load and Registry Notifications
How Image-Load Notifications WorkRegistering a Callback RoutineViewing the Callback Routines Registered on a SystemCollecting Information from Image LoadsEvading Image-Load Notifications with Tunneling ToolsTriggering KAPC Injection with Image-Load NotificationsUnderstanding KAPC InjectionGetting a Pointer to the DLL-Loading FunctionPreparing to InjectCreating the KAPC StructureQueueing the APCPreventing KAPC InjectionHow Registry Notifications WorkRegistering a Registry NotificationMitigating Performance ChallengesEvading Registry CallbacksEvading EDR Drivers with Callback Entry OverwritesConclusion
6. Filesystem Minifilter Drivers
Legacy Filters and the Filter ManagerMinifilter ArchitectureWriting a MinifilterBeginning the RegistrationDefining Pre-operation CallbacksDefining Post-operation CallbacksDefining Optional CallbacksActivating the MinifilterManaging a MinifilterDetecting Adversary Tradecraft with MinifiltersFile DetectionsNamed Pipe DetectionsEvading MinifiltersUnloadingPreventionInterferenceConclusion
7. Network Filter Drivers
Network-Based vs. Endpoint-Based MonitoringLegacy Network Driver Interface Specification DriversThe Windows Filtering PlatformThe Filter EngineFilter ArbitrationCallout DriversImplementing a WFP Callout DriverOpening a Filter Engine SessionRegistering CalloutsAdding the Callout Function to the Filter EngineAdding a New Filter ObjectAssigning Weights and SublayersAdding a Security DescriptorDetecting Adversary Tradecraft with Network FiltersThe Basic Network DataThe MetadataThe Layer DataEvading Network FiltersConclusion
8. Event Tracing for Windows
ArchitectureProvidersControllersConsumersCreating a Consumer to Identify Malicious .NET AssembliesCreating a Trace SessionEnabling ProvidersStarting the Trace SessionStopping the Trace SessionProcessing EventsTesting the ConsumerEvading ETW-Based DetectionsPatchingConfiguration ModificationTrace-Session TamperingTrace-Session InterferenceBypassing a .NET ConsumerConclusion
9. Scanners
A Brief History of Antivirus ScanningScanning ModelsOn DemandOn AccessRulesetsCase Study: YARAUnderstanding YARA RulesReverse Engineering RulesEvading Scanner SignaturesConclusion
10. Antimalware Scan Interface
The Challenge of Script-Based MalwareHow AMSI WorksExploring PowerShell’s AMSI ImplementationUnderstanding AMSI Under the HoodImplementing a Custom AMSI ProviderEvading AMSIString ObfuscationAMSI PatchingA Patchless AMSI BypassConclusion
11. Early Launch Antimalware Drivers
How ELAM Drivers Protect the Boot ProcessDeveloping ELAM DriversRegistering Callback RoutinesApplying Detection LogicAn Example Driver: Preventing Mimidrv from LoadingLoading an ELAM DriverSigning the DriverSetting the Load OrderEvading ELAM DriversThe Unfortunate RealityConclusion
12. Microsoft-Windows-Threat-Intelligence
Reverse Engineering the ProviderChecking That the Provider and Event Are EnabledDetermining the Events EmittedDetermining the Source of an EventUsing Neo4j to Discover the Sensor TriggersGetting a Dataset to Work with Neo4jViewing the Call TreesConsuming EtwTi EventsUnderstanding Protected ProcessesCreating a Protected ProcessProcessing EventsEvading EtwTiCoexistenceTrace-Handle OverwritingConclusion
13. Case Study: A Detection-Aware Attack
The Rules of EngagementInitial AccessWriting the PayloadDelivering the PayloadExecuting the PayloadEstablishing Command and ControlEvading the Memory ScannerPersistenceReconnaissancePrivilege EscalationGetting a List of Frequent UsersHijacking a File HandlerLateral MovementFinding a TargetEnumerating SharesFile ExfiltrationConclusion
Appendix. Auxiliary Sources
Alternative Hooking MethodsRPC FiltersHypervisorsHow Hypervisors WorkSecurity Use CasesEvading the Hypervisor
Index

Content preview from Evading EDR

`5` `IMAGE-LOAD AND REGISTRY NOTIFICATIONS`

The last two kinds of notification callback routines we’ll cover in this book are image-load notifications and registry notifications. An image-load notification occurs whenever an executable, DLL, or driver is loaded into memory on the system. A registry notification is triggered when specific operations in the registry occur, such as key creation or deletion.

In addition to these notification types, in this chapter we’ll also cover how EDRs commonly rely on image-load notifications for a technique called KAPC injection, which is used to inject their function-hooking DLLs. Lastly, we’ll discuss an ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098168742Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Evading EDR

by Matt Hand

`5` `IMAGE-LOAD AND REGISTRY NOTIFICATIONS`

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.