This document discusses endpoint detection and response (EDR) solutions and how red teams can evade them. It provides an introduction to EDR, explaining that EDR solutions monitor endpoints for threats by collecting behavioral data using installed agents. It then discusses why EDR is used, including failures of endpoint protection platforms and enabling real-time visibility and anomaly detection. The document goes on to provide examples of how red teams can evade detection, such as hiding Windows processes, spoofing process arguments and parent processes, and using memory evasion techniques like obfuscation and behaving like a beacon.

1. WHOAMI
Halil Dalabasmaz
Red Team Leader
Developer of Phant0m, wildPWN, SpookFlare
C|EH, OSCP, OSWP, OSCE, eWPT, eWPTX
artofpwn.com
twitter: @hlldz | github: @hlldz

4. EDR
• Endpoint Detection and Response
• This solutions are designed to continuously monitor and respond to threats. They do this
by installing agents or sensors on the endpoints, which collect and send behavioral
data to a central database for analysis.

5. HOW IT WORKS?

6. WHY EDR?
• Failure of EPPs
• Real Time System Watching & Visibility
• Memory and Behavioral Analysis
• Anomaly Detection
• Empower DFIR Processes
• VirusTotal Integration

7. REAL LIFE - I

8. REAL LIFE - II
https://redcanary.com/blog/5-common-endpoint-detection-and-response-mistakes/

9. Next Generation War
EDR vs RED TEAM
Halil Dalabasmaz

10. VISIBILITY OF A WINDOWS PROCESS

11. VISIBILITY OF A WINDOWS PROCESS

12. RED TEAM CASE STUDY - I

13. RED TEAM CASE STUDY - I
powershell -nop -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBpAG8ATgBKLnfAaQBu

14. PROCESS ARGUMENT SPOOFING
typedef struct _RTL_USER_PROCESS_PARAMETERS {
BYTE Reserved1[16];
PVOID Reserved2[10];
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

15. PROCESS ARGUMENT SPOOFING

16. RED TEAM CASE STUDY - II

17. WINDOWS OS BOOT SEQUENCE

18. PARENT PROCESS SPOOFING
BOOL CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

19. PARENT PROCESS SPOOFING
typedef struct _STARTUPINFOEXA {
STARTUPINFOA StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXA, *LPSTARTUPINFOEXA;

20. DO IT THE HARD WAY
• ver
• systeminfo
• tasklist
• tasklist /M
• tasklist /V
• net accounts
• net user
• net user Administrator
• net localgroup
• net localgroup Administrators
• net accounts /domain
• net group /domain
• net group "Domain Computers" /domain
• net group "Domain Controllers" /domain
• net group "Domain Admins" /domain
• net group "Domain Policy Creator Owners" /domain
• ipconfig
• ipconfig /all
• whoami
• whoami /priv

21. DO IT THE HARD WAY
• Netapi32.lib
• Netapi32.dll
• NetUserEnum()
• NetUserGetInfo()
• NetUserGetLocalGroups()
• DsGetDcName()
• Advapi32.lib
• Advapi32.dll
• RegGetValueA()
• Activeds.lib
• Activeds.dll
• ADsOpenObject()

22. MEMORY EVASION
• Obfuscation, Beacon Style
• Gargoyle, https://www.youtube.com/watch?v=B8lIV_Rk5Cg