{"id":21400559,"url":"https://github.com/cybersecurityup/edr-assessment","last_synced_at":"2026-01-03T13:09:20.036Z","repository":{"id":258034310,"uuid":"873316843","full_name":"CyberSecurityUP/EDR-Assessment","owner":"CyberSecurityUP","description":"This repository contains a comprehensive testing designed for evaluating the performance and resilience of Endpoint Detection and Response (EDR) systems","archived":false,"fork":false,"pushed_at":"2024-10-16T01:00:54.000Z","size":4,"stargazers_count":47,"open_issues_count":0,"forks_count":7,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-23T02:45:30.062Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CyberSecurityUP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-16T00:47:57.000Z","updated_at":"2024-11-26T16:44:47.000Z","dependencies_parsed_at":"2024-10-18T04:00:50.795Z","dependency_job_id":null,"html_url":"https://github.com/CyberSecurityUP/EDR-Assessment","commit_stats":null,"previous_names":["cybersecurityup/edr-assessment"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FEDR-Assessment","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FEDR-Assessment/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FEDR-Assessment/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CyberSecurityUP%2FEDR-Assessment/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CyberSecurityUP","download_url":"https://codeload.github.com/CyberSecurityUP/EDR-Assessment/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243893905,"owners_count":20364916,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T15:23:01.287Z","updated_at":"2026-01-03T13:09:19.948Z","avatar_url":"https://github.com/CyberSecurityUP.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# EDR-Assessment\n\nThis notebook outlines the various test cases for evaluating an Endpoint Detection and Response (EDR) system. The following categories cover anti-malware, exploit protection, fileless attack prevention, behavioral protection, ransomware detection, forensic investigation, and endpoint controls.\n\n## Anti-Malware\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Signatures mode | Detects known malware using signature-based detection | Test known malware samples to evaluate signature detection |\n| Behavioral document protection | Detect, prevent, and/or quarantine documents with malicious code | Test known malicious documents to assess signature detection |\n| Behavioral document protection AI | Detect, prevent, and/or quarantine documents with malicious code using AI | Open malicious documents and save them under a different name |\n| Artificial intelligence | AI discovers malware by analyzing files for malicious indicators | Execute malicious files from private malware sources like 0day.today and CTI feeds. Test benign files with strange signatures or behavior |\n| Scheduled scans | Schedule anti-malware scans on connected machines | Place malware on the machine and schedule a scan |\n| Heuristic analysis | Detects unknown malware through heuristic behavior analysis | Create a custom obfuscated malware and test the heuristic detection capabilities of the EDR |\n| Memory scanning | Scans system memory for malicious activity | Load malicious code into memory without writing to disk and evaluate detection |\n\n## Exploit Protection\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Exploit protection mode | Block attempts to exploit vulnerabilities on endpoints | Set up a vulnerable machine (Windows/Linux) and exploit with both simple and advanced techniques |\n| Process exclusions | Prevent process injections like Ghosting, Hollow, Classic, and APC | Test process injection techniques and observe detection |\n| Stack-based buffer overflow detection | Detects and prevents stack-based buffer overflow attacks | Simulate a stack-based buffer overflow exploit and evaluate EDR's detection |\n| Heap-based buffer overflow detection | Detects and prevents heap-based buffer overflow attacks | Simulate a heap-based buffer overflow exploit and evaluate EDR's detection |\n| Shellcode execution prevention | Blocks shellcode execution from malicious processes | Inject shellcode into a process and test if EDR can detect and block it |\n\n## Fileless Protection\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Fileless protection mode | Detect and prevent fileless malware attacks | Execute fileless techniques, such as PowerShell and unmanaged execution |\n| Download payload | Prevent the execution of downloaded payloads | Download and execute payloads locally |\n| Download payload with reputation | Block download commands from domains/IPs with bad reputation | Download payloads from known bad and good reputation websites |\n| Script analysis | Prevent the execution of malicious commands and scripts | Execute malicious scripts in PowerShell, Bash, etc. Try bypassing AMSI and other script execution controls |\n| .NET floating modules | Prevent the loading of malicious .NET modules | Simulate malicious .NET behavior using IAT and pseudo-ransomware |\n| .NET behavioral detection | Detect memory attacks such as DotNetToJScript | Simulate malicious .NET processes and evaluate IAT detection by creating pseudo-ransomware |\n| Reflective DLL injection prevention | Blocks reflective DLL injections | Test reflective DLL injection and assess detection |\n| WMI abuse detection | Detects the misuse of Windows Management Instrumentation (WMI) | Simulate WMI persistence techniques and evaluate detection |\n\n## Behavioral Execution Protection\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Behavioral execution prevention | Detects and prevents malicious execution based on process behavior | Simulate malicious process behavior using pseudo-ransomware in C# |\n| Variant payload prevention | Detects and prevents execution of variant payloads | Create obfuscated/encrypted payloads using simple and advanced techniques |\n| Process hollowing detection | Detects and prevents process hollowing attacks | Execute a process hollowing technique and assess EDR's ability to detect it |\n| Parent process spoofing detection | Detects suspicious parent-child process relationships | Create a scenario with parent process spoofing and check if the EDR raises an alert |\n\n## Predictive Ransomware Protection\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Predictive ransomware protection | Detect, prevent, and quarantine ransomware | Simulate ransomware attacks using known and custom samples |\n| Shadow copy protection | Prevent ransomware from deleting shadow copies | Simulate behavior to delete or disable shadow copies |\n| MBR protection | Prevent ransomware from modifying the MBR | Attempt to modify the MBR and evaluate EDR's detection and prevention |\n| Rapid recovery | Restore files with a \".restored\" suffix | Encrypt system files and check recovery mechanisms |\n\n## Anti-Ransomware\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Anti-Ransomware Mode | Detect, suspend, and prevent ransomware | Execute a known ransomware sample to check if EDR detects and suspends it |\n| Canary files | Use canary files to detect ransomware activity | Attempt to encrypt system files and evaluate EDR's response |\n| Shadow copy protection | Disable ransomware's ability to delete shadow copies | Simulate behavior to delete or disable shadow copies |\n| MBR protection | Prevent ransomware from modifying the MBR | Use known ransomware samples to attempt MBR modification and evaluate detection |\n| Behavioral ransomware detection | Detect ransomware based on abnormal encryption behavior | Test various ransomware samples and observe behavioral detection |\n\n## Endpoint Controls\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Device control | Manage removable device controls | Test external USB devices and simulate HID attacks |\n| Personal firewall control | Configure personal firewall rules to protect endpoints | Evaluate firewall rules by blocking specific inbound/outbound ports |\n| USB blocking | Block unauthorized USB devices | Connect unauthorized USB devices and evaluate response |\n\n## Forensic Investigation\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Non-executable file data collection | Collect metadata from non-executable files involved in attacks | Test collection of metadata from malicious files like PDFs, images, and Word documents |\n| File collection | Configure file event collection | Monitor file executions and evaluate the logs and metadata collected |\n| Registry collection | Collect data from registry keys modified by malicious processes | Use persistence techniques and evaluate the collection of modified registry keys |\n| File transmission | Test sending files to endpoints | Send a file to an endpoint and ensure it arrives correctly |\n| Memory forensics | Collect memory dumps for forensic analysis | Trigger memory dump collection and analyze for malicious artifacts |\n\n## Collection Features\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Non-executable file data collection | Collect metadata from non-executable files involved in attacks | Collect metadata from files like PDFs, images, and Word documents |\n| File collection | Monitor file events and metadata | Evaluate logs for file executions and monitor behavior |\n| Registry collection | Monitor and collect registry changes from malicious processes | Use persistence techniques and collect modified registry keys |\n| Network activity collection | Collect network traffic and correlate with attack data | Simulate malicious network traffic and evaluate visibility in EDR |\n\n## Endpoint UI Settings\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| System tray icon | Show/hide the EDR icon on the system tray | Check if EDR remains hidden or visible in the operating system |\n\n## Advanced Sensor Options\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Advanced sensor options | Customize sensor settings and enable preview features | Test advanced sensor options and special cases |\n\n## Response Settings\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Incident response tools | Deploy and run incident response tools | Test deployment and data upload to GCP bucket |\n\n## Infrastructure Settings\n\n| Feature | Description | Test |\n| ------- | ----------- | ---- |\n| Sensor tampering protection | Protect sensors from unauthorized modification | Test tampering attempts |\n| EDR process security | Prevent EDR process termination | Test killing the EDR process using BYOVD techniques or known methods (Killer, etc.) |\n| Process injection protection | Prevent attempts to inject malicious code into legitimate processes | Test various process injection techniques such as APC injection |\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fedr-assessment","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcybersecurityup%2Fedr-assessment","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcybersecurityup%2Fedr-assessment/lists"}