Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/xacone/bestedrofthemarket

Little AV/EDR evasion lab for training & learning purposes
https://github.com/xacone/bestedrofthemarket

defense-evasion edr edr-evasion edr-testing

Last synced: 3 months ago
JSON representation

Little AV/EDR evasion lab for training & learning purposes

Awesome Lists containing this project

README 

        

#  Best EDR Of The Market (BEOTM) V3 🐲🏴‍☠️ 






Best Edr Of The Market is an open-source lab designed to implement and understand, from a low-level perspective, the detection methods used by Endpoints Detection & Response security products and their workarounds. These techniques are mainly based on the exploitation of Windows NT's telemetric capabilities to dynamically analyze process behavior.





➡️​ What's New in the Kernel Version of BestEdrOfTheMarket? 




Defensive Capabilities


This current version (v3) focuses on some of the interception capabilities offered by the Windows kernel. These include:






- [x]  System Calls Interception via Alternative System Call Handlers  


- [x]  

Exploitation of the Virtual Address Descriptor (VAD) Tree for Image Integrity Checking  


- [x]  Using kernel callbacks to capture events related to thread creation, process creation, image loading into memory, registry operations, and object-related operations. 


- [x]  Code injection detection by validating the integrity of thread call stacks. 


- [x]  Integration of Yara rules for rapid pattern detection in memory buffers/files 


- [x]  Integrity checking of system calls 


- [x]  Leverage of the Shadow Stack to Verify Thread Call Stacks Integrity 







Thus, this 3rd version makes it possible to detect a bunch of TTPs such as PPID Spoofing (T1134.004), Credential Dumping (T1003.001), process Hollowing/Ghosting/Tampering (T1055.012), memory code injection (T1055) methods including APC queuing (T1055.004) & Thread Hijacking (T1055.003), Abnormal System Calls (T1106), Registry Persistence Operations (T1547.001) and many more...



Release Structure



The project incorporates a clone of @Elastic's protection-artifacts repository for the provision of Yara rules. 



```

📁 beotmv3

    ⚙️ beotm.sys

    📄 beotm.exe

    📁 protection-artifacts/

        📁 rules/

            📁 yara/

                📄 Windows_Trojan_Metasploit.yar

                📄 Windows_Hacktool_Mimikatz.yar

                📄 Windows_Hacktool_Rubeus.yar

                📄 ...

    📄 libcrypto-3-x64.dll

```



Usage



```

beotm.exe  

```



Example with ``protection-artifacts``:

```

.\beotm.exe .\beotm.sys .\protection-artifacts\yara\rules\

```

beotm.exe installs the beotm.sys driver on the system by itself, and asks to be run in administrator mode before starting. Once the driver is installed, it retrieves and compiles the Yara rules supplied in the path specified in its parameters:



![Yara Rules Compiling](Assets/beotm_yara_rules_compiling.png)



Once all Yara rules have been compiled, press any key and you'll be redirected to the UI panel:



![BEOTM Ui](Assets/beotm_simple_ui_panel.png)



When beotm.exe is terminated, the service associated with the driver remains active on the system, so if you run beotm.exe again, there's no need to re-install the driver. The service is called “BeotmDrv”:



```

C:\Windows\system32>sc.exe query type=driver | findstr /i "beotm"

SERVICE_NAME: BeotmDrv

DISPLAY_NAME: BeotmDrv

```

You can stop the service if you wish, as follows:

```

C:\Windows\system32> sc.exe stop BeotmDrv 

```



Requirements



You'll need a test environment such as a Windows virtual machine. The machine must be configured in ``TESTSIGNING`` mode.



I recommend a Windows 10 22H2 VM (this is the version on which BEOTM was tested), but the project should be compatible between Windows 10 20H1 and Windows 10 22H2.



You can also debug the remote VM kernel if you would like to test your changes. A debug message is displayed when BEOTM is launched, informing whether or not the callbacks have been successfully registered:



```

1: kd> g

 ____            _     _____ ____  ____     ___   __   _____ _          

| __ )  ___  ___| |_  | ____|  _ \|  _ \   / _ \ / _| |_   _| |__   ___ 

|  _ \ / _ \/ __| __| |  _| | | | | |_) | | | | | |_    | | | '_ \ / _ \

| |_) |  __/\__ \ |_  | |___| |_| |  _ <  | |_| |  _|   | | | | | |  __/

|____/_\___||___/\__| |_____|____/|_| \_\  \___/|_|     |_| |_| |_|\___|     v3

|  \/  | __ _ _ __| | _____| |_                                         

| |\/| |/ _` | '__| |/ / _ \ __|                                        

| |  | | (_| | |  |   <  __/ |_           Yazidou - github.com/Xacone  

|_|  |_|\__,_|_|  |_|\_\___|\__|                                        



[+] Win Kernel Structs offsets initialized

[+] Altsyscall handler registered !

[+] PsSetCreateThreadNotifyRoutine success

[+] PsSetCreateProcessNotifyRoutineEx success

[+] PsSetLoadImageNotifyRoutine success

[+] ObRegisterCallbacks 1 success

[+] CmRegisterCallbackEx success

[+] Driver loaded

```



Building the Project



The project was designed in Visual Studio 2022. Make sure you have the WDK upstream and all the prerequisites, such as the x64 spectrum mitigation libraries. The Windows Hardware documentation details how to proceed.



The project uses C++20.



The project includes as yet unimplemented TCP/IP filtering functionality based on NDIS. If you encounter "Symbol not found"-like errors. Make sure to link the following libraries in BestEdrOfTheMarketDriver -> Project Properties -> Linker -> Entry -> Additional Dependencies:



```

$(DDK_LIB_PATH)\fwpkclnt.lib

$(DDK_LIB_PATH)\ndis.lib

$(SDK_LIB_PATH)\uuid.lib

```



On the user side, make sure you install yara with vcpkg:



```

.\vcpkg\vcpkg.exe install yara

```



Here's how to get the vcpkg.exe executable:

```

git clone https://github.com/microsoft/vcpkg

.\vcpkg\bootstrap-vcpkg.bat

```



Issue Reporting



Feel free to open an issue for any crash/bug/BSOD you encounter or any excessive false positives.



Please provide me with as much information as possible to help me pinpoint the cause of the error. To do this, nothing better than to provide me with the conditions under which the bug was reproduced and, incidentally, the artifact that caused it + the output of `analyze -v` on WinDbg in kernel debugging mode, (if possible).



If it was one of your artifacts that caused the crash/bug/BSOD, it would be cool if I could also have its source code. 



Disclaimer ⚠️



The scope of this project is purely educational. The driver is to be used in a **controlled testing environment** only.