⭕️ تکنیک ها و ابزار های زیادی در حوزه دور زدن av و edr و xdr ها وجود داره.
در ابزار مفیدی مثل incpector به قسمت های مختلفی پرداخته میشه
مثل:
انواع روش لود کردن shellcode ها (sRDI ,Pe2shو..)
انواع روش های loader-independent encoding, and loader-dependent
(native: Xor,Nop. .net: Hex,base64.)
انواع روش های دور زدن مکانیزم آنتی ویروس
(amsi bypass. wldp bypass . etw bypass)
انواع روش های دور زدن مکانیزم های edr ها
(full unhooking. manual dll mapping . direct syscalls)
تکنیک های مبهم سازی کد در powershell - C# c و ++C
و در اخر بحث code signing با certificates های ماکروسافتی
نتیجه گیری که میشه کرد این ابزار یه دید خوبی نسبت به ساختار آنتی ویروس ها و edr ها و روش های دور زدنشون به صورت پلکانی و مرحله به مرحله رو به ما اختصاص میده
https://github.com/klezVirus/inceptor
https://raw.githubusercontent.com/klezVirus/inceptor/main/slides/Inceptor%20-%20Bypass%20AV-EDR%20solutions%20combining%20well%20known%20techniques.pdf
#avbypass #redteam #edr #av
کانال آموزش کامپیوتر
@Engineer_Computer
در ابزار مفیدی مثل incpector به قسمت های مختلفی پرداخته میشه
مثل:
انواع روش لود کردن shellcode ها (sRDI ,Pe2shو..)
انواع روش های loader-independent encoding, and loader-dependent
(native: Xor,Nop. .net: Hex,base64.)
انواع روش های دور زدن مکانیزم آنتی ویروس
(amsi bypass. wldp bypass . etw bypass)
انواع روش های دور زدن مکانیزم های edr ها
(full unhooking. manual dll mapping . direct syscalls)
تکنیک های مبهم سازی کد در powershell - C# c و ++C
و در اخر بحث code signing با certificates های ماکروسافتی
نتیجه گیری که میشه کرد این ابزار یه دید خوبی نسبت به ساختار آنتی ویروس ها و edr ها و روش های دور زدنشون به صورت پلکانی و مرحله به مرحله رو به ما اختصاص میده
https://github.com/klezVirus/inceptor
https://raw.githubusercontent.com/klezVirus/inceptor/main/slides/Inceptor%20-%20Bypass%20AV-EDR%20solutions%20combining%20well%20known%20techniques.pdf
#avbypass #redteam #edr #av
کانال آموزش کامپیوتر
@Engineer_Computer
GitHub
GitHub - klezVirus/inceptor: Template-Driven AV/EDR Evasion Framework
Template-Driven AV/EDR Evasion Framework. Contribute to klezVirus/inceptor development by creating an account on GitHub.
🖼 https://raw.githubusercontent.com/matro7sh/BypassAV/main/img/Bypass-AV.png
نقشه تکنیک های دور زدن آنتی ویروس و EDR
#Bypass
#EDR
https://github.com/CMEPW/BypassAV
https://matro7sh.github.io/BypassAV
@Engineer_Computer
نقشه تکنیک های دور زدن آنتی ویروس و EDR
#Bypass
#EDR
https://github.com/CMEPW/BypassAV
https://matro7sh.github.io/BypassAV
@Engineer_Computer
پاسخ به یک سوال مهم :
پیرو حادثه crowdstrike و مشکل درایور این محصول که منجر به بلو اسکرین در سراسر جهان شد سوالی به میان میاید :
ویندوز با Patchguard که از انتهای ویندوز xp ارائه کرد دیگر اجازه نمیدهد هر کسی در کرنل دستکاری کند ، اما EDR و XDR ها ادعا میکنند توسط درایور ها در تعامل با کرنل هستند . حد این تعامل چیست که حادثه ای چون CrowdStrike رخ میدهد؟ و اینکه چرا مایکروسافت اخیرا جلسه ای بدون حضور خبرنگاران با اصحاب تولید کننده محصولاتی چون XDR و EDR گذاشته تا ایشان را از کرنل بیرون کند؟!!
من تعاملی با ChatGPT داشتم به جواب زیر رسیدم
Windows PatchGuard (also known as Kernel Patch Protection or KPP) is a security feature introduced by Microsoft to prevent unauthorized code from patching or modifying the Windows kernel on 64-bit systems. Its main goal is to maintain kernel integrity by ensuring that only trusted and signed code operates within the kernel space, protecting against malicious attacks, rootkits, or unauthorized kernel modifications.
### Relation Between Windows PatchGuard and EDR Drivers
#### 1. Kernel-Level Drivers and PatchGuard
- EDR Driver Requirements: Many EDR (Endpoint Detection and Response) solutions require kernel-level drivers to monitor system events, processes, and behavior in real time. These drivers operate in kernel mode, where they have higher privileges to access and monitor sensitive operations (file access, memory usage, etc.). However, PatchGuard enforces strict rules on what can and cannot interact with or modify the kernel.
- PatchGuard Restrictions: PatchGuard specifically blocks unauthorized drivers or software from modifying critical parts of the Windows kernel, such as:
- System Service Descriptor Table (SSDT) hooks
- Interrupt Descriptor Table (IDT) hooks
- Kernel Object Manipulation
- Modification of the Kernel Debugger
This ensures that the kernel remains in a known, stable state, preventing malware or poorly written drivers from tampering with it. Thus, any legitimate EDR driver must respect PatchGuard's restrictions, meaning that it cannot perform kernel patching or directly modify protected kernel structures.
#### 2. Signed Drivers and PatchGuard Compliance
- Driver Signing: For EDR drivers to function within the constraints of PatchGuard, they must be properly signed with a valid digital signature. Microsoft enforces driver signing to ensure that only trusted drivers are loaded into kernel space. Drivers that attempt to bypass or disable PatchGuard violate this trust model and are blocked by the system.
- Windows Hardware Quality Labs (WHQL) Certification: Most reputable EDR vendors will seek WHQL certification for their drivers, ensuring that they operate within Microsoft's guidelines for kernel interaction. This certification process ensures that the driver respects PatchGuard’s policies and doesn’t introduce instability or security vulnerabilities.
#### 3. Driver Operation Without Violating PatchGuard
- Non-Patching Approach: EDR drivers must monitor and respond to system events without directly modifying kernel structures or patching kernel code, which would violate PatchGuard. Instead, they:
- Hook into legitimate, documented APIs that provide system monitoring capabilities.
- Rely on Windows Filtering Platform (WFP), ETW (Event Tracing for Windows), or Hypervisor-protected Code Integrity (HVCI) for monitoring low-level events.
- Use legitimate kernel interfaces to gather data about processes, network activity, and file operations without modifying protected kernel data structures.
- User Mode and Kernel Mode Balance: Some EDR solutions split their functionality between user-mode agents and kernel-mode drivers. The driver performs low-level monitoring, while the user-mode components handle less sensitive tasks, ensuring that EDR solutions work effectively within the boundaries set by PatchGuard.
ادامه در پست بعد
@Engineer_Computer
#cybersecurity #threathunting #cyberforensics #Stuxnet #risk #edr #xdr
پیرو حادثه crowdstrike و مشکل درایور این محصول که منجر به بلو اسکرین در سراسر جهان شد سوالی به میان میاید :
ویندوز با Patchguard که از انتهای ویندوز xp ارائه کرد دیگر اجازه نمیدهد هر کسی در کرنل دستکاری کند ، اما EDR و XDR ها ادعا میکنند توسط درایور ها در تعامل با کرنل هستند . حد این تعامل چیست که حادثه ای چون CrowdStrike رخ میدهد؟ و اینکه چرا مایکروسافت اخیرا جلسه ای بدون حضور خبرنگاران با اصحاب تولید کننده محصولاتی چون XDR و EDR گذاشته تا ایشان را از کرنل بیرون کند؟!!
من تعاملی با ChatGPT داشتم به جواب زیر رسیدم
Windows PatchGuard (also known as Kernel Patch Protection or KPP) is a security feature introduced by Microsoft to prevent unauthorized code from patching or modifying the Windows kernel on 64-bit systems. Its main goal is to maintain kernel integrity by ensuring that only trusted and signed code operates within the kernel space, protecting against malicious attacks, rootkits, or unauthorized kernel modifications.
### Relation Between Windows PatchGuard and EDR Drivers
#### 1. Kernel-Level Drivers and PatchGuard
- EDR Driver Requirements: Many EDR (Endpoint Detection and Response) solutions require kernel-level drivers to monitor system events, processes, and behavior in real time. These drivers operate in kernel mode, where they have higher privileges to access and monitor sensitive operations (file access, memory usage, etc.). However, PatchGuard enforces strict rules on what can and cannot interact with or modify the kernel.
- PatchGuard Restrictions: PatchGuard specifically blocks unauthorized drivers or software from modifying critical parts of the Windows kernel, such as:
- System Service Descriptor Table (SSDT) hooks
- Interrupt Descriptor Table (IDT) hooks
- Kernel Object Manipulation
- Modification of the Kernel Debugger
This ensures that the kernel remains in a known, stable state, preventing malware or poorly written drivers from tampering with it. Thus, any legitimate EDR driver must respect PatchGuard's restrictions, meaning that it cannot perform kernel patching or directly modify protected kernel structures.
#### 2. Signed Drivers and PatchGuard Compliance
- Driver Signing: For EDR drivers to function within the constraints of PatchGuard, they must be properly signed with a valid digital signature. Microsoft enforces driver signing to ensure that only trusted drivers are loaded into kernel space. Drivers that attempt to bypass or disable PatchGuard violate this trust model and are blocked by the system.
- Windows Hardware Quality Labs (WHQL) Certification: Most reputable EDR vendors will seek WHQL certification for their drivers, ensuring that they operate within Microsoft's guidelines for kernel interaction. This certification process ensures that the driver respects PatchGuard’s policies and doesn’t introduce instability or security vulnerabilities.
#### 3. Driver Operation Without Violating PatchGuard
- Non-Patching Approach: EDR drivers must monitor and respond to system events without directly modifying kernel structures or patching kernel code, which would violate PatchGuard. Instead, they:
- Hook into legitimate, documented APIs that provide system monitoring capabilities.
- Rely on Windows Filtering Platform (WFP), ETW (Event Tracing for Windows), or Hypervisor-protected Code Integrity (HVCI) for monitoring low-level events.
- Use legitimate kernel interfaces to gather data about processes, network activity, and file operations without modifying protected kernel data structures.
- User Mode and Kernel Mode Balance: Some EDR solutions split their functionality between user-mode agents and kernel-mode drivers. The driver performs low-level monitoring, while the user-mode components handle less sensitive tasks, ensuring that EDR solutions work effectively within the boundaries set by PatchGuard.
ادامه در پست بعد
@Engineer_Computer
#cybersecurity #threathunting #cyberforensics #Stuxnet #risk #edr #xdr
ادامه از پست قبل 👆👆
#### 4. Is Using a Driver a Violation?
- No, It’s Not a Violation (When Done Correctly): Using a kernel driver in EDR solutions is not inherently a violation of PatchGuard. It’s only a violation if the driver attempts to patch or modify the kernel in ways that violate Windows security policies. Well-designed EDR solutions comply with PatchGuard by using standard APIs and legitimate kernel interfaces to achieve monitoring and protection goals.
- Working Within Kernel Mode: The EDR driver operates *within* the kernel, but it doesn’t modify or patch critical parts of the kernel itself. Instead, it monitors and reports events while respecting PatchGuard's restrictions. This allows it to maintain visibility into the system without breaching the kernel's integrity or violating Windows security rules.
### Summary
- Windows PatchGuard prevents unauthorized modifications to the Windows kernel, ensuring that the system's core remains intact and protected.
- EDR drivers operate within kernel mode but must comply with PatchGuard rules, meaning they cannot modify or patch the kernel directly.
- No violation occurs if the EDR driver is properly signed, respects PatchGuard’s limitations, and uses legitimate kernel monitoring techniques rather than trying to alter or bypass kernel protections.
@Engineer_Computer
#cybersecurity #threathunting #cyberforensics #Stuxnet #risk #edr #xdr
#### 4. Is Using a Driver a Violation?
- No, It’s Not a Violation (When Done Correctly): Using a kernel driver in EDR solutions is not inherently a violation of PatchGuard. It’s only a violation if the driver attempts to patch or modify the kernel in ways that violate Windows security policies. Well-designed EDR solutions comply with PatchGuard by using standard APIs and legitimate kernel interfaces to achieve monitoring and protection goals.
- Working Within Kernel Mode: The EDR driver operates *within* the kernel, but it doesn’t modify or patch critical parts of the kernel itself. Instead, it monitors and reports events while respecting PatchGuard's restrictions. This allows it to maintain visibility into the system without breaching the kernel's integrity or violating Windows security rules.
### Summary
- Windows PatchGuard prevents unauthorized modifications to the Windows kernel, ensuring that the system's core remains intact and protected.
- EDR drivers operate within kernel mode but must comply with PatchGuard rules, meaning they cannot modify or patch the kernel directly.
- No violation occurs if the EDR driver is properly signed, respects PatchGuard’s limitations, and uses legitimate kernel monitoring techniques rather than trying to alter or bypass kernel protections.
@Engineer_Computer
#cybersecurity #threathunting #cyberforensics #Stuxnet #risk #edr #xdr