Initially taken from Maldev Academy Discord and added more resources.
Notion Notes : https://an0nud4y.notion.site/AV-EDR-Lab-Env-Setup-130bc870022d8071935cc682d3eb34b9?pvs=4
-
An example of things that can be used to emulate certain features that paid edrs have:
- SACL - sysmon
- HOOKS
- bitdefender free : https://otterhacker.github.io/Malware/Function hooking.html
- HookDetector (Detect all hooked APIs) : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
- TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
- Detecting manual syscalls from usermode
- https://github.com/jackullrich/syscall-detect
- hook the current process to identify the manual syscall executions on windows : https://github.com/paranoidninja/Process-Instrumentation-Syscall-Hook
- PROCESS/PESCAN
- Yapscan - hoard as many yara rules as you can
- DetectItEasy(DIE) : https://github.com/horsicq/Detect-It-Easy
- ETW-TI/ETW Providers/Consumers -
- silketw : https://otterhacker.github.io/Malware/ETW.html
- ETWInspector : https://github.com/jsecurity101/ETWInspector
- List ETW Providers for a process : https://github.com/whokilleddb/ETWListicle
- KrabsETW (Microsoft ETW Consumer) : https://github.com/microsoft/krabsetw
- BlueKrabsETW (For blueTeams, Based on KrabsETW by microsoft) : https://github.com/threathunters-io/bluekrabsetw
- SealighterTI (Threat-Intelligence ETW Provider) : https://github.com/pathtofile/SealighterTI
- TiEtwAgent (Detect Memory injection based on ETW-TI) : https://github.com/xuanxuan0/TiEtwAgent
- PyWinTrace (ETW python Library) : https://github.com/fireeye/pywintrace
- EtwExplorer (View ETW Providers Manifest) : https://github.com/zodiacon/EtwExplorer
- TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
- ETW Resources
- Contains resources to learn and understand EVTX/ETW (Event Tracing for Windows) : https://github.com/nasbench/EVTX-ETW-Resources
- KERNEL CALLBACKS -
- Elastic
- Sysmon
- TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
- Capa - Capabilities Scanning
- Trace API calls - TinyTracer
-
Collect Windows Telemetry for Maldev
- Collects telemetry like , ETW, ETW-TI, Kernel Callbacks, Hooks, Callstacks, Loaded DLLs, PEB) : https://github.com/dobin/RedEdr , RedEDR UI (https://github.com/dobin/RedEdrUi) (Check other projects by author)
-
Free Trials EDR/AV Products
- Microsoft Defender For Endpoint
- Sophos XDR (trial)
- Elastic EDR
- TrendMicro
- McAfee MVISION
- Avast
- openEDR - Comodo Free EDR
- Wazuh : https://github.com/wazuh/wazuh
- Huntress Managed EDR - (15 Days Free trial , No Credit card Required, 3 High/Critical incident reports by realtime SOC analysts) : https://www.huntress.com/edr-free-trial
-
Open Source EDRs
- RedEDR : https://github.com/dobin/RedEdr
- SimpleEDR - Manual DLL Hooking to find Detection Opportunity : https://github.com/Helixo32/SimpleEDR
- CrimsonEDR : https://github.com/Helixo32/CrimsonEDR
- OpenEDR : https://github.com/ComodoSecurity/openedr/
- InjDrv : https://github.com/wbenny/injdrv
- MyDumbEDR : https://github.com/sensepost/mydumbedr
- BestEDROfTheMarket : https://github.com/Xacone/BestEdrOfTheMarket
- JonMon : https://github.com/jsecurity101/JonMon
- SylantStrike : https://github.com/CCob/SylantStrike
- Write your own EDR
-
Open Source EDRs Comparison by @dobin
-
Image Load Events Scanners
- Hunt-Weird-ImageLoads : https://github.com/thefLink/Hunt-Weird-ImageLoads
-
Process Memory Scanners
- PE-sieve : https://github.com/hasherezade/pe-sieve
- Moneta : https://github.com/forrest-orr/moneta
- YapScan : https://github.com/fkie-cad/yapscan
- MalMemDetect : https://github.com/waldo-irc/MalMemDetect
- Patriot : https://github.com/joe-desimone/patriot
- Hunt-Sleeping-Beacons : https://github.com/thefLink/Hunt-Sleeping-Beacons
- YaraMemoryScanner : https://github.com/BinaryDefense/YaraMemoryScanner
- Cobalt Strike Beacon Detection Specific Scanners
- BeaconEye : https://github.com/CCob/BeaconEye
- BeaconHunter : https://github.com/3lp4tr0n/BeaconHunter
- EtwTi-FluctuationMonitor - Doing VirtualAlloc(RWX) changes CFG bitmap accordingly and then after VirtualAlloc(RW) CFG stays the same : https://github.com/jdu2600/EtwTi-FluctuationMonitor
- TiEtwAgent (Detect Memory injection based on ETW-TI) : https://github.com/xuanxuan0/TiEtwAgent
-
Signature Detection Bypass
- ThreatCheck : https://github.com/PACHAKUTlQ/ThreatCheck
- AvRed : https://github.com/dobin/avred
- Avoid using windows if you are worried about windows telemetry while writing your malware.
- Tiny11Builder (To remove many windows unnecessary components including telemetry) (Taken from here) : https://github.com/ntdevlabs/tiny11builder
-
EDR Internals
- Matt Hand - Evading EDR book
- How EDR Works (The Anti-EDR Compedium) : https://blog.deeb.ch/posts/how-edr-works/
-
EDR Internals / Working Talks
-
EDR Telemetry - Various EDR Telemetry : https://github.com/tsale/EDR-Telemetry
-
Defender Harvester : https://github.com/olafhartong/DefenderHarvester
-
EDR Hooks Lists : https://github.com/Mr-Un1k0d3r/EDRs
- HookDetector (Detect all hooked APIs) : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
-
Polonium : A tool from Modern Initial Access and Evasion Tactics course by Binary-Offensive (@mariuszbit). https://github.com/sponsors/mgeeky
-
EDR Hooks Telemetry
-
Gartner’s Magic Quadrant for EDR Platforms
- Thanks to MaldevAcademy Discord Members for initial List
- Thanks to @dobin , For Providing a list of additional resources and open Source EDR Comparison table.
- Thanks to @fin3ss3g0d , For sharing about huntress Managed EDR Trial offer.