Please follow the Github Repo, This Notion link may die anytime. Github : https://github.com/An0nUD4Y/AV-EDR-Lab-Environment-Setup By : @an0nud4y

Table of Content

AV/EDR Lab Environment Setup

An example of things that can be used to emulate certain features that paid edrs have:
- SACL - sysmon
- HOOKS
  - bitdefender free : https://otterhacker.github.io/Malware/Function hooking.html
  - HookDetector (Detect all hooked APIs) : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
  - TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
- Detecting direct/indirect syscalls from usermode
  - https://github.com/jackullrich/syscall-detect
  - hook the current process to identify the manual syscall executions on windows : https://github.com/paranoidninja/Process-Instrumentation-Syscall-Hook
  - Hunt-Weird-Syscalls : https://github.com/thefLink/Hunt-Weird-Syscalls
  - Process Instrumentation - simple program to hook the current process to identify the manual syscall executions on windows : https://github.com/paranoidninja/Process-Instrumentation-Syscall-Hook
- PROCESS/PESCAN
  - Yapscan - hoard as many yara rules as you can
  - DetectItEasy(DIE) : https://github.com/horsicq/Detect-It-Easy
- AMSI Provider
  - AMSI Provider : https://github.com/jborean93/AmsiProvider
- ETW-TI/ETW Providers/Consumers -
  - silketw : https://otterhacker.github.io/Malware/ETW.html
  - ETWInspector : https://github.com/jsecurity101/ETWInspector
  - List ETW Providers for a process : ‣
  - KrabsETW (Microsoft ETW Consumer) : https://github.com/microsoft/krabsetw
  - BlueKrabsETW (For blueTeams, Based on KrabsETW by microsoft) : https://github.com/threathunters-io/bluekrabsetw
  - Sealighter (Sysmon-Like research tool for ETW) : https://github.com/pathtofile/Sealighter
  - SealighterTI (Threat-Intelligence ETW Provider) : https://github.com/pathtofile/SealighterTI
  - TiEtwAgent (Detect Memory injection based on ETW-TI) : https://github.com/xuanxuan0/TiEtwAgent
  - PyWinTrace (ETW python Library) : https://github.com/fireeye/pywintrace
  - EtwExplorer (View ETW Providers Manifest) : https://github.com/zodiacon/EtwExplorer
  - TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
  - MentalTi (ETWTi Parser) : https://github.com/mannyfred/MentalTi
  - PockETWatcher : https://github.com/olafhartong/PockETWatcher
  - AnzuETW : https://github.com/casp3r0x0/AnzuETW
  - COMmander (leverages the Microsoft-Windows-RPC ETW provider to tap into low level RPC events) : https://github.com/HullaBrian/COMmander
  - ETW-TI Viewer : https://github.com/adanto/EtwTiViewer
  - ETW Resources
    - Contains resources to learn and understand EVTX/ETW (Event Tracing for Windows) : https://github.com/nasbench/EVTX-ETW-Resources
- KERNEL CALLBACKS -
  - Elastic
  - Sysmon
  - TelemetrySourcerer (enumerate and disable common sources of telemetry used by AV/EDR, Including ETW , User-ModeHooks, Kernel Callbacks) : https://github.com/jthuraisamy/TelemetrySourcerer
- Capa - Capabilities Scanning
- Trace API calls - TinyTracer
  - https://github.com/hasherezade/tiny_tracer
Collect Windows Telemetry for Maldev
- Collects telemetry like , ETW, ETW-TI, Kernel Callbacks, Hooks, Callstacks, Loaded DLLs, PEB) : https://github.com/dobin/RedEdr , https://github.com/dobin/RedEdrUi (Check other projects by author)
Free Trials EDR/AV Products
- Microsoft Defender For Endpoint
  - https://medium.com/@hackenbacker/creating-a-defender-for-endpoint-lab-for-free-695044b75bd6
  - https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-trial-user-guide
- Sophos XDR (trial)
- Elastic EDR
- TrendMicro
- McAfee MVISION
- Avast
- openEDR - Comodo Free EDR
- Wazuh : https://github.com/wazuh/wazuh
- Huntress Managed EDR - (15 Days Free trial , No Credit card Required, 3 High/Critical incident reports by realtime SOC analysts) (Shared by @fin3ss3g0d): https://www.huntress.com/edr-free-trial
Open Source AV/EDRs
- RedEDR (Web UI ) : https://github.com/dobin/RedEdr
  - X33fc0n 2026 Talk by @Dobin
    
    Detonator - x33fcon 2026.pdf
- LitterBox (Web UI) : https://github.com/BlackSnufkin/LitterBox
- SimpleEDR - Manual DLL Hooking to find Detection Opportunity : https://github.com/Helixo32/SimpleEDR
- CrimsonEDR : https://github.com/Helixo32/CrimsonEDR
- OpenEDR : https://github.com/ComodoSecurity/openedr/
- InjDrv : https://github.com/wbenny/injdrv
- MyDumbEDR : https://github.com/sensepost/mydumbedr
- BestEDROfTheMarket : https://github.com/Xacone/BestEdrOfTheMarket
- JonMon : https://github.com/jsecurity101/JonMon
- SylantStrike : https://github.com/CCob/SylantStrike
- Whids : https://github.com/0xrawsec/whids
- MiniEDR : https://github.com/j3h4ck/MiniEDR
- Vettaiyan : https://github.com/m0n1x90/vettaiyan
- Write your own EDR
- NovaEDR : https://github.com/N0vaSky/NovaEDR-deploy
- JonMon-Lite (Remote Agentless EDR) : https://github.com/jonny-jhnson/JonMon-Lite
- Panoptes : https://github.com/Ap3x/Panoptes
- BamboozIEDR : https://github.com/olafhartong/BamboozlEDR
- Sanctum : https://github.com/0xflux/Sanctum
Open Source EDRs Comparison by @dobin
Image Load Events Scanners
Process Memory Scanners
Signature Detection Bypass
Payload delivery Test

Table of Content

AV/EDR Lab Environment Setup

Malware Development Machine Setup