The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Process Creation
  • AMSI
  • Event Logging
  • Userland Hooking
  • Process Memory Scanning
  • EtwTi
  • Misc

Was this helpful?

  1. Techniques
  2. Defense Evasion
  3. Basics
  4. IOCs

High Level Overview of EDR technologies

PreviousIOCsNextSandbox Evasion

Last updated 2 years ago

Was this helpful?

Process Creation

  • EDRs look at parent child relationships to detect potential malicious activity, for example, should Word be spawning PowerShell? EDRs look at these relationships and find malicious activity based on this. They also may look at arguments, environment variables etc.

  • This is exposed in the kernel via image loads and callbacks

  • EDRs may subscribe to these events to get insight into this

  • These callbacks and image loads include

  • pic from:

PsSetCreateProcessNotifyRoutine()
PsSetCreatethreadNotifyRoutine()
PsSetLoadImageNotifyRoutine()

AMSI

  • This is used to detect .NET malware like C# PowerShell, VBS, jscript etc.

  • In these processes, there is going to be a language provider loaded into memory which converts the raw source code of the script to machine instructions for the process itself

  • these providers send potentially dangerous code into the amsi.dll loaded in the process, amsi.dll will then send this data to providers, which decide if the code is malicious or not

  • The default provider in windows is MsMpEng.exe, but EDRs have been implementing their own providers and such(via some COM RPC magic shit). They communicate via RPC

Event Logging

  • Events that get reported to svchost.exe

  • Let's take powershell.exe as an example

  • Powershell.exe has a System.Management.Automation.dll which is the powershell .NET implementation

  • When certain events in System.Management.Automation.dll

    happen, it will get reported with EventWriteTransfer(), which will get traced down to EtwEventWrite(), and then into NtTraceEvent() which is a kernel syscall

  • Then, the kernel has the event information which it then sends to Eventlog Service which then spits out the logs back into the user

Userland Hooking

  • Injects a dll which hooks certain "potentially malicious functions" to see their behavior and deduce if they are malicious or not

  • For example, we can hook NtWriteVirtualMemory and scan the buffer passed to it at runtime

Process Memory Scanning

  • scanning process memory for malicious signatures.

  • The scans can be triggered on specific events for example:

    • Scanning RWX regions

    • After a certain time period

    • After a process is created

    • etc.

  • Note that this is very resource intensive, and periodic scanners can't do full memory scans in short intervals

EtwTi

  • A way to have kernel level telemetry into common process injection APIs

  • EtwTi is a kernel level instrumentation which does this

  • APIs will trace down to the kernel, and go into a EtwTi function which goes to an ETW provider called Microsoft-Windows-Threat-Intelligence which then deduces if it is malicious or not

  • EtwTi is only available to processes running with PPL-Antimalware

Misc

  • EDRs can dump process memory, grab files, and in the worst case, isolate a host from a network for detection and forensics.

  • Least frequency analysis, EDRs find the odd one out and investigate to see if its malware. For example, all users run edge, but one runs chrome, and the chrome instance spawns a unknown binary from temp, chances are is that this is malware(shit example).

  • EDRs can integrate with VirusTotal, and have some detection logic from there

Pic from:

for more info:

https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection
https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection