{"id":20162987,"url":"https://github.com/xacone/bestedrofthemarket","last_synced_at":"2025-04-12T17:40:32.756Z","repository":{"id":206803016,"uuid":"717730995","full_name":"Xacone/BestEdrOfTheMarket","owner":"Xacone","description":"Little AV/EDR evasion lab for training \u0026 learning purposes","archived":false,"fork":false,"pushed_at":"2024-04-13T17:31:02.000Z","size":48574,"stargazers_count":877,"open_issues_count":5,"forks_count":96,"subscribers_count":14,"default_branch":"main","last_synced_at":"2024-04-14T08:02:12.700Z","etag":null,"topics":["defense-evasion","edr","edr-evasion","edr-testing"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Xacone.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-11-12T12:12:56.000Z","updated_at":"2024-04-15T14:54:12.122Z","dependencies_parsed_at":"2023-12-04T10:30:52.002Z","dependency_job_id":"4f214eeb-c47a-4603-ad4d-a8e35e2b7fe6","html_url":"https://github.com/Xacone/BestEdrOfTheMarket","commit_stats":null,"previous_names":["xacone/bestedrofthemarket"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xacone%2FBestEdrOfTheMarket","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xacone%2FBestEdrOfTheMarket/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xacone%2FBestEdrOfTheMarket/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xacone%2FBestEdrOfTheMarket/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Xacone","download_url":"https://codeload.github.com/Xacone/BestEdrOfTheMarket/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248607409,"owners_count":21132522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["defense-evasion","edr","edr-evasion","edr-testing"],"created_at":"2024-11-14T00:27:43.020Z","updated_at":"2025-04-12T17:40:32.735Z","avatar_url":"https://github.com/Xacone.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\r\n# \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html\"\u003e Best EDR Of The Market (BEOTM) V3 🐲🏴‍☠️ \u003c/a\u003e\r\n\r\n\u003cimg src=\"Assets/beotm_banner.png\"\u003e\r\n\r\nBest Edr Of The Market is an open-source lab designed to implement and understand, from a low-level perspective, the detection methods used by Endpoints Detection \u0026 Response security products and their workarounds. These techniques are mainly based on the exploitation of Windows NT's telemetric capabilities to dynamically analyze process behavior.\r\n\r\n\u003cdiv align=\"center\"\u003e\r\n\u003cu\u003e\u003cb\u003e\u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html\"\u003e➡️​ What's New in the Kernel Version of BestEdrOfTheMarket? \u003c/a\u003e\u003c/b\u003e\u003c/u\u003e\r\n\u003c/div\u003e\r\n\r\n\u003ch2\u003eDefensive Capabilities\u003c/h2\u003e\r\nThis current version (v3) focuses on some of the interception capabilities offered by the Windows kernel. These include:\r\n\u003cbr\u003e\u003cbr\u003e\r\n\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#4\"\u003e System Calls Interception via Alternative System Call Handlers \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#3\"\u003e \r\nExploitation of the Virtual Address Descriptor (VAD) Tree for Image Integrity Checking \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#2\"\u003e Using kernel callbacks to capture events related to thread creation, process creation, image loading into memory, registry operations, and object-related operations. \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#5\"\u003e Code injection detection by validating the integrity of thread call stacks. \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#4\"\u003e Integration of Yara rules for rapid pattern detection in memory buffers/files \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#4\"\u003e Integrity checking of system calls \u003c/a\u003e\u003cbr\u003e\r\n- [x] \u003ca href=\"https://xacone.github.io/BestEdrOfTheMarketV3.html#6\"\u003e Leverage of the Shadow Stack to Verify Thread Call Stacks Integrity \u003c/a\u003e\u003cbr\u003e\r\n\r\n\u003cbr\u003e\r\n\r\nThus, this 3rd version makes it possible to detect a bunch of TTPs such as PPID Spoofing (\u003ca href=\"https://attack.mitre.org/techniques/T1134/004/\"\u003eT1134.004\u003c/a\u003e), Credential Dumping (\u003ca href=\"https://attack.mitre.org/techniques/T1003/001/\"\u003eT1003.001\u003c/a\u003e), process Hollowing/Ghosting/Tampering (\u003ca href=\"https://attack.mitre.org/techniques/T1055/012/\"\u003eT1055.012\u003c/a\u003e), memory code injection (\u003ca href=\"https://attack.mitre.org/techniques/T1055/\"\u003eT1055\u003c/a\u003e) methods including APC queuing (\u003ca href=\"https://attack.mitre.org/techniques/T1055/004/\"\u003eT1055.004\u003c/a\u003e) \u0026 Thread Hijacking (\u003ca href=\"https://attack.mitre.org/techniques/T1055/003/\"\u003eT1055.003\u003c/a\u003e), Abnormal System Calls (\u003ca href=\"https://attack.mitre.org/techniques/T1106/\"\u003eT1106\u003c/a\u003e), Registry Persistence Operations (\u003ca href=\"https://attack.mitre.org/techniques/T1547/001/\"\u003eT1547.001\u003c/a\u003e) and many more...\r\n\r\n\u003ch2\u003eRelease Structure\u003c/h2\u003e\r\n\r\nThe project incorporates a clone of @Elastic's \u003ca href=\"\"\u003eprotection-artifacts\u003c/a\u003e repository for the provision of Yara rules. \r\n\r\n```\r\n📁 beotmv3\r\n ⚙️ beotm.sys\r\n 📄 beotm.exe\r\n 📁 protection-artifacts/\r\n 📁 rules/\r\n 📁 yara/\r\n 📄 Windows_Trojan_Metasploit.yar\r\n 📄 Windows_Hacktool_Mimikatz.yar\r\n 📄 Windows_Hacktool_Rubeus.yar\r\n 📄 ...\r\n 📄 libcrypto-3-x64.dll\r\n```\r\n\r\n\u003ch2\u003eUsage\u003c/h2\u003e\r\n\r\n```\r\nbeotm.exe \u003cpath to driver\u003e \u003cpath to Yara rules folder\u003e\r\n```\r\n\r\nExample with ``protection-artifacts``:\r\n```\r\n.\\beotm.exe .\\beotm.sys .\\protection-artifacts\\yara\\rules\\\r\n```\r\nbeotm.exe installs the beotm.sys driver on the system by itself, and asks to be run in administrator mode before starting. Once the driver is installed, it retrieves and compiles the Yara rules supplied in the path specified in its parameters:\r\n\r\n![Yara Rules Compiling](Assets/beotm_yara_rules_compiling.png)\r\n\r\nOnce all Yara rules have been compiled, press any key and you'll be redirected to the UI panel:\r\n\r\n![BEOTM Ui](Assets/beotm_simple_ui_panel.png)\r\n\r\nWhen beotm.exe is terminated, the service associated with the driver remains active on the system, so if you run beotm.exe again, there's no need to re-install the driver. The service is called “BeotmDrv”:\r\n\r\n```\r\nC:\\Windows\\system32\u003esc.exe query type=driver | findstr /i \"beotm\"\r\nSERVICE_NAME: BeotmDrv\r\nDISPLAY_NAME: BeotmDrv\r\n```\r\nYou can stop the service if you wish, as follows:\r\n```\r\nC:\\Windows\\system32\u003e sc.exe stop BeotmDrv \r\n```\r\n\r\n\u003ch2\u003eRequirements\u003c/h2\u003e\r\n\r\nYou'll need a test environment such as a Windows virtual machine. \u003ca href=\"https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option#enable-or-disable-use-of-test-signed-code\"\u003eThe machine must be configured in ``TESTSIGNING`` mode.\u003c/a\u003e\r\n\r\nI recommend a Windows 10 22H2 VM (this is the version on which BEOTM was tested), but the project should be compatible between Windows 10 20H1 and Windows 10 22H2.\r\n\r\n\u003ca href=\"https://www.apriorit.com/dev-blog/kernel-driver-debugging-with-windbg\"\u003eYou can also debug the remote VM kernel if you would like to test your changes.\u003c/a\u003e A debug message is displayed when BEOTM is launched, informing whether or not the callbacks have been successfully registered:\r\n\r\n```\r\n1: kd\u003e g\r\n ____ _ _____ ____ ____ ___ __ _____ _ \r\n| __ ) ___ ___| |_ | ____| _ \\| _ \\ / _ \\ / _| |_ _| |__ ___ \r\n| _ \\ / _ \\/ __| __| | _| | | | | |_) | | | | | |_ | | | '_ \\ / _ \\\r\n| |_) | __/\\__ \\ |_ | |___| |_| | _ \u003c | |_| | _| | | | | | | __/\r\n|____/_\\___||___/\\__| |_____|____/|_| \\_\\ \\___/|_| |_| |_| |_|\\___| v3\r\n| \\/ | __ _ _ __| | _____| |_ \r\n| |\\/| |/ _` | '__| |/ / _ \\ __| \r\n| | | | (_| | | | \u003c __/ |_ Yazidou - github.com/Xacone \r\n|_| |_|\\__,_|_| |_|\\_\\___|\\__| \r\n\r\n[+] Win Kernel Structs offsets initialized\r\n[+] Altsyscall handler registered !\r\n[+] PsSetCreateThreadNotifyRoutine success\r\n[+] PsSetCreateProcessNotifyRoutineEx success\r\n[+] PsSetLoadImageNotifyRoutine success\r\n[+] ObRegisterCallbacks 1 success\r\n[+] CmRegisterCallbackEx success\r\n[+] Driver loaded\r\n```\r\n\r\n\u003ch2\u003eBuilding the Project\u003c/h2\u003e\r\n\r\nThe project was designed in Visual Studio 2022. Make sure you have the WDK upstream and all the prerequisites, such as the x64 spectrum mitigation libraries. \u003ca href=\"https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk\"\u003eThe Windows Hardware documentation details how to proceed.\u003c/a\u003e\r\n\r\nThe project uses C++20.\r\n\r\nThe project includes as yet unimplemented TCP/IP filtering functionality based on NDIS. If you encounter \"Symbol not found\"-like errors. Make sure to link the following libraries in \u003ci\u003eBestEdrOfTheMarketDriver -\u003e Project Properties -\u003e Linker -\u003e Entry -\u003e Additional Dependencies\u003c/i\u003e:\r\n\r\n```\r\n$(DDK_LIB_PATH)\\fwpkclnt.lib\r\n$(DDK_LIB_PATH)\\ndis.lib\r\n$(SDK_LIB_PATH)\\uuid.lib\r\n```\r\n\r\nOn the user side, make sure you install \u003ca href=\"https://vcpkg.link/ports/yara\"\u003eyara\u003c/a\u003e with \u003ca href=\"https://github.com/microsoft/vcpkg\"\u003evcpkg\u003c/a\u003e:\r\n\r\n```\r\n.\\vcpkg\\vcpkg.exe install yara\r\n```\r\n\r\nHere's how to get the vcpkg.exe executable:\r\n```\r\ngit clone https://github.com/microsoft/vcpkg\r\n.\\vcpkg\\bootstrap-vcpkg.bat\r\n```\r\n\r\n\u003ch2\u003eIssue Reporting\u003c/h2\u003e\r\n\r\nFeel free \u003ca href=\"https://github.com/Xacone/BestEdrOfTheMarket/issues\"\u003eto open an issue\u003c/a\u003e for any crash/bug/BSOD you encounter or any excessive false positives.\r\n\r\nPlease provide me with as much information as possible to help me pinpoint the cause of the error. To do this, nothing better than to provide me with the conditions under which the bug was reproduced and, incidentally, the artifact that caused it + the output of `analyze -v` on WinDbg in kernel debugging mode, (if possible).\r\n\r\nIf it was one of your artifacts that caused the crash/bug/BSOD, it would be cool if I could also have its source code. \r\n\r\n\u003ch2\u003eDisclaimer ⚠️\u003c/h2\u003e\r\n\r\nThe scope of this project is purely educational. The driver is to be used in a **controlled testing environment** only.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxacone%2Fbestedrofthemarket","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxacone%2Fbestedrofthemarket","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxacone%2Fbestedrofthemarket/lists"}