Evading EDR

Informationen zum Autor Matt Hand Klappentext "Introduces readers to the most common components of EDR systems, including function hooking, callback notifications, Event Tracing for Windows, and filesystem minifilters, by explaining how they are implemented and how they collect various data points. Covers documented evasion strategies for bypassing detections and describes how defenders might protect themselves"-- Zusammenfassung EDR, demystified! Stay a step ahead of attackers with this comprehensive guide to understanding the attack-detection software running on Microsoft systemsand how to evade it. Nearly every enterprise uses an Endpoint Detection and Response (EDR) agent to monitor the devices on their network for signs of an attack. But that doesn't mean security defenders grasp how these systems actually work. This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. Chapter by chapter, you'll learn that EDR is not a magical black boxit's just a complex software application built around a few easy-to-understand components. The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements. Inhaltsverzeichnis Introduction Chapter 1: EDR-chitecture Chapter 2: Function-Hooking DLLs Chapter 3: Thread and Process Notifications Chapter 4: Object Notifications Chapter 5: Image-Load and Registry Notifications Chapter 6: Minifilters Chapter 7: Network Filter Drivers Chapter 8: Event Tracing for Windows Chapter 9: Scanners Chapter 10: Anti-Malware Scan Interface Chapter 11: Early Launch Anti-Malware Drivers Chapter 12: Microsoft-Windows-Threat-Intelligence Chapter 13: A Detection-Aware Attack Appendix...

Auteur

Matt Hand

Texte du rabat

"Introduces readers to the most common components of EDR systems, including function hooking, callback notifications, Event Tracing for Windows, and filesystem minifilters, by explaining how they are implemented and how they collect various data points. Covers documented evasion strategies for bypassing detections and describes how defenders might protect themselves"--

Résumé
EDR, demystified! Stay a step ahead of attackers with this comprehensive guide to understanding the attack-detection software running on Microsoft systems—and how to evade it.

Nearly every enterprise uses an Endpoint Detection and Response (EDR) agent to monitor the devices on their network for signs of an attack. But that doesn't mean security defenders grasp how these systems actually work. This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. Chapter by chapter, you’ll learn that EDR is not a magical black box—it’s just a complex software application built around a few easy-to-understand components.

The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.

Contenu
Introduction
Chapter 1: EDR-chitecture
Chapter 2: Function-Hooking DLLs
Chapter 3: Thread and Process Notifications
Chapter 4: Object Notifications
Chapter 5: Image-Load and Registry Notifications
Chapter 6: Minifilters
Chapter 7: Network Filter Drivers
Chapter 8: Event Tracing for Windows
Chapter 9: Scanners
Chapter 10: Anti-Malware Scan Interface
Chapter 11: Early Launch Anti-Malware Drivers
Chapter 12: Microsoft-Windows-Threat-Intelligence
Chapter 13: A Detection-Aware Attack
Appendix