Please follow the Github Repo, This Notion link may die anytime. Github : https://github.com/An0nUD4Y/AV-EDR-Lab-Environment-Setup By : @an0nud4y

Table of Content

AV/EDR Lab Environment Setup

• An example of things that can be used to emulate certain features that paid edrs have:

  • SACL - sysmon

    • https://detect.fyi/sysmon-a-viable-alternative-to-edr-44d4fbe5735a?gi=eb4475ea6b3d
    • https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/active-directory-hunting-set-up-advanced-monitoring-with-sysmon/m-p/3977120
    • Sysmon Config : https://github.com/SwiftOnSecurity/sysmon-config

  • HOOKS

    • bitdefender free : https://otterhacker.github.io/Malware/Function hooking.html
    • HookDetector (Detect all hooked APIs) : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
    • TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer

  • Detecting direct/indirect syscalls from usermode

    • https://github.com/jackullrich/syscall-detect
    • hook the current process to identify the manual syscall executions on windows : https://github.com/paranoidninja/Process-Instrumentation-Syscall-Hook
    • Hunt-Weird-Syscalls : https://github.com/thefLink/Hunt-Weird-Syscalls

  • PROCESS/PESCAN

    • Yapscan - hoard as many yara rules as you can
    • DetectItEasy(DIE) : https://github.com/horsicq/Detect-It-Easy

  • AMSI Provider

    • AMSI Provider : https://github.com/jborean93/AmsiProvider

  • ETW-TI/ETW Providers/Consumers -

    • silketw : https://otterhacker.github.io/Malware/ETW.html
    • ETWInspector : https://github.com/jsecurity101/ETWInspector
    • List ETW Providers for a process : ‣
    • KrabsETW (Microsoft ETW Consumer) : https://github.com/microsoft/krabsetw
    • BlueKrabsETW (For blueTeams, Based on KrabsETW by microsoft) : https://github.com/threathunters-io/bluekrabsetw
    • Sealighter (Sysmon-Like research tool for ETW) : https://github.com/pathtofile/Sealighter
    • SealighterTI (Threat-Intelligence ETW Provider) : https://github.com/pathtofile/SealighterTI
    • TiEtwAgent (Detect Memory injection based on ETW-TI) : https://github.com/xuanxuan0/TiEtwAgent
    • PyWinTrace (ETW python Library) : https://github.com/fireeye/pywintrace
    • EtwExplorer (View ETW Providers Manifest) : https://github.com/zodiacon/EtwExplorer
    • TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
    • MentalTi (ETWTi Parser) : https://github.com/mannyfred/MentalTi
    • PockETWatcher : https://github.com/olafhartong/PockETWatcher
    • AnzuETW : https://github.com/casp3r0x0/AnzuETW
    • COMmander (leverages the Microsoft-Windows-RPC ETW provider to tap into low level RPC events) : https://github.com/HullaBrian/COMmander
    • ETW Resources
      • Contains resources to learn and understand EVTX/ETW (Event Tracing for Windows) : https://github.com/nasbench/EVTX-ETW-Resources

  • KERNEL CALLBACKS -

    • Elastic
    • Sysmon
    • TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer

  • Capa - Capabilities Scanning

  • Trace API calls - TinyTracer

    • https://github.com/hasherezade/tiny_tracer

• Collect Windows Telemetry for Maldev

  • Collects telemetry like , ETW, ETW-TI, Kernel Callbacks, Hooks, Callstacks, Loaded DLLs, PEB) : https://github.com/dobin/RedEdr , https://github.com/dobin/RedEdrUi (Check other projects by author)

• Free Trials EDR/AV Products

  • Microsoft Defender For Endpoint
    • https://medium.com/@hackenbacker/creating-a-defender-for-endpoint-lab-for-free-695044b75bd6
    • https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-trial-user-guide
  • Sophos XDR (trial)
  • Elastic EDR
    • https://github.com/sherifabdlnaby/elastdocker
    • https://otterhacker.github.io/Malware/Elastic EDR.html
    • https://github.com/peasead/elastic-container
    • https://www.youtube.com/watch?v=1luhjL7TN9U
  • TrendMicro
  • McAfee MVISION
  • Avast
  • openEDR - Comodo Free EDR
  • Wazuh : https://github.com/wazuh/wazuh
  • Huntress Managed EDR - (15 Days Free trial , No Credit card Required, 3 High/Critical incident reports by realtime SOC analysts) (Shared by @fin3ss3g0d): https://www.huntress.com/edr-free-trial

• Open Source AV/EDRs

  • RedEDR (Web UI ) : https://github.com/dobin/RedEdr
  • LitterBox (Web UI) : https://github.com/BlackSnufkin/LitterBox
  • SimpleEDR - Manual DLL Hooking to find Detection Opportunity : https://github.com/Helixo32/SimpleEDR
  • CrimsonEDR : https://github.com/Helixo32/CrimsonEDR
  • OpenEDR : https://github.com/ComodoSecurity/openedr/
  • InjDrv : https://github.com/wbenny/injdrv
  • MyDumbEDR : https://github.com/sensepost/mydumbedr
  • BestEDROfTheMarket : https://github.com/Xacone/BestEdrOfTheMarket
  • JonMon : https://github.com/jsecurity101/JonMon
  • SylantStrike : https://github.com/CCob/SylantStrike
  • Whids : https://github.com/0xrawsec/whids
  • MiniEDR : https://github.com/j3h4ck/MiniEDR
  • Vettaiyan : https://github.com/m0n1x90/vettaiyan
  • Write your own EDR
    • https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr/
    • https://youtube.com/playlist?list=PLc2_LEyTNutFkUliQMTZ_FHl8kNx3f5-E&si=8kHcC_FIxccHBR5H
    • https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
  • NovaEDR : https://github.com/N0vaSky/NovaEDR-deploy
  • JonMon-Lite (Remote Agentless EDR) : https://github.com/jonny-jhnson/JonMon-Lite
  • Panoptes : https://github.com/Ap3x/Panoptes

• Open Source EDRs Comparison by @dobin

• Image Load Events Scanners

• Process Memory Scanners

• Signature Detection Bypass

• Payload delivery Test

Malware Development Machine Setup