Open-source AV/EDR bypassing lab for training and learning
Best EDR Of The Market is a user-mode endpoint detection and response (EDR) project designed to serve as a testing ground for understanding and bypassing EDR’s user-mode detection methods. These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),
Defensive techniques:
- Multi-Levels API Hooking
- SSN Hooking/Crushing
- IAT Hooking
- Shellcode Injection Detection
- Reflective Module Loading Detection
- Call Stack Monitoring
“I’ve always been interested in the defensive methods EDRs use to analyze and intercept function calls to detect threats and how these methods are bypassed. I’ve researched and tried (with my modest background in low-level programming) to implement a few of them. Then, I thought that it would be fun and instructive to build an EDR whose purpose would be to be bypassed,” Yazid Benjamaa, creator of the tool, told Help Net Security.
When discussing the future, Yazid Benjamaa told us: “For now, I aim to receive constructive feedback and see how people interact with it. I’ve seen that the project is already receiving attention, so I’ll create documentation to clarify the source code and the implemented concepts. And then, I plan to continue implementing other defensive techniques as they are in real EDRs and keep learning from them.”
Best EDR Of The Market is available for free on GitHub. For more technical details, read Benjamaa’s blog.
Must read:
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time