Best Edr Of The Market is an open-source lab designed to implement and understand, from a low-level perspective, the detection methods used by Endpoints Detection & Response security products and their workarounds. These techniques are mainly based on the exploitation of Windows NT's telemetric capabilities to dynamically analyze process behavior.
This current version (v3) focuses on some of the interception capabilities offered by the Windows kernel. These include- System Calls Interception via Alternative System Call Handlers
-
Exploitation of the Virtual Address Descriptor (VAD) Tree for Image Integrity Checking
- Using kernel callbacks to capture events related to thread creation, process creation, image loading into memory, registry operations, and object operations.
- Code injection detection by validating the integrity of thread call stacks.
- Integration of Yara rules for rapid pattern detection in memory buffers/files
- Integrity checking of system calls
- Leverage of the Shadow Stack to Verify Thread Call Stacks Integrity
Thus, this 3rd version makes it possible to detect a bunch of TTPs such as PPID Spoofing (T1134.004), Credential Dumping (T1003.001), process Hollowing/Ghosting/Tampering (T1055.012), memory code injection (T1055) methods including APC queuing (T1055.004) & Thread Hijacking (T1055.003), Abnormal System Calls (T1106), Registry Persistence Operations (T1547.001) and many more...
The project incorporates a clone of @elastic's protection-artifacts repository for the provision of Yara rules.
📁 beotmv3
⚙️ beotm.sys
📄 beotm.exe
📁 protection-artifacts/
📁 rules/
📁 yara/
📄 Metasploit_Artefacts_Rule.yara
📄 Metasploit_Artefacts_Rule.yara
📄 libcrypto-3-x64.dll
beotm.exe <path to driver> <path to Yara rules folder>
Example:
beotm.sys .\beotm.sys .\protection-artifacts
beotm.exe installs the beotm.sys driver on the system by itself, and asks to be run in administrator mode before starting. Once the driver is installed, it retrieves and compiles the Yara rules supplied in the path specified in its parameters:
Once all Yara rules have been compiled, press any key and you'll be redirected to the UI panel:
When beotm.exe is terminated, the service associated with the driver remains active on the system, so if you run beotm.exe again, there's no need to re-install the driver. The service is called “BeotmDrv”:
C:\Windows\system32>sc.exe query type=driver | findstr /i "beotm"
SERVICE_NAME: BeotmDrv
DISPLAY_NAME: BeotmDrv
You can stop the service if you wish, as follows:
C:\Windows\system32> sc.exe stop BeotmDrv
You'll need a test environment such as a Windows virtual machine. The machine must be configured in TESTSIGNING mode.
I recommend a Windows 10 22H2 VM (this is the version on which BEOTM was tested), but the project should be compatible between Windows 10 20H1 and Windows 11 23H2.
You can also debug the remote VM kernel if you would like to test your changes. A debug message is displayed when BEOTM is launched, informing whether or not the callbacks have been successfully registered:
1: kd> g
____ _ _____ ____ ____ ___ __ _____ _
| __ ) ___ ___| |_ | ____| _ \| _ \ / _ \ / _| |_ _| |__ ___
| _ \ / _ \/ __| __| | _| | | | | |_) | | | | | |_ | | | '_ \ / _ \
| |_) | __/\__ \ |_ | |___| |_| | _ < | |_| | _| | | | | | | __/
|____/_\___||___/\__| |_____|____/|_| \_\ \___/|_| |_| |_| |_|\___| v3
| \/ | __ _ _ __| | _____| |_
| |\/| |/ _` | '__| |/ / _ \ __|
| | | | (_| | | | < __/ |_ Yazidou - github.com/Xacone
|_| |_|\__,_|_| |_|\_\___|\__|
[+] Win Kernel Structs offsets initialized
[+] Altsyscall handler registered !
[+] PsSetCreateThreadNotifyRoutine success
[+] PsSetCreateProcessNotifyRoutineEx success
[+] PsSetLoadImageNotifyRoutine success
[+] ObRegisterCallbacks 1 success
[+] CmRegisterCallbackEx success
[+] Driver loaded
The project was designed in Visual Studio 2022. Make sure you have the WDK upstream and all the prerequisites, such as the x64 spectre mitigation libraries. The Windows Hardware documentation details how to proceed.
The project uses C++20.
The project includes as yet unimplemented TCP/IP filtering functionality based on NDIS. If you encounter "Symbol not found"-like errors. Make sure to link the following libraries in BestEdrOfTheMarketDriver -> Project Properties -> Linker -> Entry -> Additional Dependencies:
$(DDK_LIB_PATH)\fwpkclnt.lib
$(DDK_LIB_PATH)\ndis.lib
$(SDK_LIB_PATH)\uuid.lib
On the user side, make sure you install yara with vcpkg:
.\vcpkg\vcpkg.exe install yara
Here's how to get the vcpkg.exe executable:
git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat
Feel free to open an issue for any crash/bug/BSOD you encounter or any excessive false positives.
Please provide me with as much information as possible to help me pinpoint the cause of the error. To do this, nothing better than to provide me with the conditions under which the bug was reproduced and, incidentally, the artifact that caused it + the output of analyze -v on WinDbg in kernel debugging mode, (if possible).
If it was one of your artifacts that caused the crash/bug/BSOD, it would be cool if I could also have its source code.
The scope of this project is purely educational. The driver is to be used in a controlled testing environment only.