Название: Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems (Final) Автор: Matt Hand Издательство: No Starch Press Год: 2024 Страниц: 315 Язык: английский Формат: True/Retail (PDF EPUB MOBI) Размер: 26.4 MB
EDR, demystified! Stay a step ahead of attackers with this comprehensive guide to understanding the attack-detection software running on Microsoft systems—and how to evade it.
Nearly every enterprise uses an Endpoint Detection and Response (EDR) agent to monitor the devices on their network for signs of an attack. But that doesn't mean security defenders grasp how these systems actually work. This book demystifies EDR, taking you on a deep dive into how EDRs detect adversary activity. Chapter by chapter, you’ll learn that EDR is not a magical black box—it’s just a complex software application built around a few easy-to-understand components.
The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
Who This Book Is For: This book is for any reader interested in understanding endpoint detections. On the offensive side, it should guide researchers, capability developers, and red team operators, who can use the knowledge of EDR internals and evasion strategies discussed here to build their attack strategies. On the defensive side, the same information serves a different purpose. Understanding how your EDR works will help you make informed decisions when investigating alerts, building new detections, understanding blind spots, and purchasing products.
That said, if you’re looking for a step-by-step guide to evading the specific EDR deployed in your particular operating environment, this book isn’t for you. While we discuss evasions related to the broader technologies used by most endpoint security agents, we do so in a vendor-agnostic way. All EDR agents generally work with similar data because the operating system standardizes its collection techniques. This means we can focus our attention on this common core: the information used to build detections. Understanding it can clarify why a vendor makes certain design decisions.
Lastly, this book exclusively targets the Windows operating system. While you’ll increasingly find EDRs developed specifically for Linux and macOS, they still don’t hold a candle to the market share held by Windows agents. Because we are far more likely to run into an EDR deployed on Windows when attacking or defending a network, we’ll focus our efforts on gaining a deep understanding of how these agents work.
Prerequisite Knowledge:
This is a deeply technical book, and to get the most out of it, I strongly recommend that you familiarize yourself with the following concepts. First, knowledge of basic penetration testing techniques will help you better understand why an EDR may attempt to detect a specific action on a system.
We’ll spend quite a bit of time deep in the weeds of the Windows operating system. Thus, you may find it worthwhile to understand the basics of Windows internals and the Win32 API.
Because we examine source code and debugger output in depth, you may also want to be familiar with the C programming language and x86 assembly. This isn’t a requirement, though, as we’ll walk through each code listing to highlight key points.
Experience with tools like WinDbg, the Windows debugger; Ghidra, the disassembler and decompiler; PowerShell, the scripting language; and the SysInternals Suite (specifically, the tools Process Monitor and Process Explorer) will aid you as well. Although we walk through the use of these tools in the book, they can be tricky at times.
Внимание
Уважаемый посетитель, Вы зашли на сайт как незарегистрированный пользователь.
Мы рекомендуем Вам зарегистрироваться либо войти на сайт под своим именем.
Информация
Посетители, находящиеся в группе Гости, не могут оставлять комментарии к данной публикации.