Full Report
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server. When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining how an EDR’s is architected and how the different components of a EDR are orchestrated. This article aims to demystify how EDR’s work while building a custom one that will implement a few techniques used by real EDR’s.
Analysis Summary
# Tool/Technique: Dummy EDR Implementation (MyDumbEDR)
## Overview
This entry details the creation and architecture of a custom, simplified Endpoint Detection and Response (EDR) system, named "MyDumbEDR," built to demystify how real EDR solutions operate. The core purpose of this project was to understand the architecture, component orchestration, and implementation of specific detection techniques used by commercial EDRs, primarily through the development of a custom Windows kernel driver.
## Technical Details
- Type: Technique/Proof-of-Concept Tool (Custom EDR)
- Platform: Windows (Implying Kernel Mode Driver development targeting Windows OS structures)
- Capabilities: Static analysis of binaries; Dynamic monitoring via kernel driver hooks; Process termination upon detection of malicious behavior (specifically shellcode injection attempts).
- First Seen: Published January 31, 2024
## MITRE ATT&CK Mapping
The techniques demonstrated or targeted by the EDR's detection logic map primarily to execution and defense evasion, although the EDR itself uses defensive techniques.
| Tactic | Technique | Sub-technique (If applicable) |
|---|---|---|
| Execution | T1055 - Process Injection | T1055.001 - Dynamic-link Library Injection (Implied by DLL injection) |
| Defense Evasion | T1055 - Process Injection | T1055.012 - Shellcode Injection (Directly targeted by the example detection) |
*Note: The EDR implementation focuses on *detecting* these techniques rather than being the offensive tool itself.*
## Functionality
### Core Capabilities
- **Static Analysis:** Detecting binaries identified as malicious based on static checks (e.g., known malicious binaries flagged by a `StaticAnalyzer` agent).
- **Kernel Driver Integration:** Deployment of a custom kernel driver to monitor system operations at a low level.
- **Dynamic Monitoring:** Observing critical security events such as process creation, file modification, and function calls.
### Advanced Features
- **Remote Shellcode Injection Detection:** The EDR successfully detected an attempt by a `RemoteInjector` binary to inject the EDR's own DLL (`MyDumbEDRDLL`) into a target process (Notepad).
- **RWX Memory Allocation Blocking:** The detection was specifically triggered when the target process attempted to allocate a memory page with Read-Write-Execute (RWX) permissions, a common prerequisite for executing injected shellcode.
- **Process Termination:** Upon detecting the malicious memory operation, the EDR terminated the affected process, successfully protecting the target (`notepad.exe`).
## Indicators of Compromise
Since this project is a custom EDR being built for educational purposes, the IOCs listed below pertain to the specific *example scenario* used to test the EDR, not a widespread malware family.
- File Hashes: N/A (Source code and specific hashes not detailed in summary)
- File Names: `ShellcodeInjector` (Binary used to initiate the attack simulation), `MyDumbEDRDLL` (DLL injected by the attacker sample)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Allocation of memory regions with RWX permissions within a scrutinized process; detection of remote process injection attempts.
## Associated Threat Actors
The article does not associate this custom tool or its underlying detection logic with any known threat actor groups, as it is a framework built for defensive research and learning.
## Detection Methods
The EDR utilizes a multi-layered approach:
- **Signature-based detection:** Flagging specific known malicious binaries (Static Analysis).
- **Behavioral detection:** Monitoring low-level system calls and actions, specifically identifying the attempt to write and execute code into a remote process via checks on memory allocation properties (RWX).
## Mitigation Strategies
The capabilities demonstrated by the EDR suggest effective mitigation strategies involve:
- **Kernel-level Monitoring:** Implementing drivers capable of hooking or monitoring key OS functions (like memory management routines) to catch malicious activity before it succeeds.
- **Preventing RWX Allocation:** Strict policies or monitoring around the allocation of memory with both Write and Execute privileges simultaneously, as this is a strong indicator of execution staging (e.g., JIT compilation or code injection).
- **Function Hooking/SSDT Monitoring:** The underlying architecture suggests using techniques like function hooking or System Service Descriptor Table (SSDT) monitoring to intercept user-space requests before they reach the kernel.
## Related Tools/Techniques
- **Traditional Anti-Viruses (Pre-EDR):** Relied heavily on static signatures and simple heuristics.
- **Rootkits:** The implementation leverages kernel drivers, which is the foundation upon which rootkits are built, illustrating the dual-use nature of kernel programming.
- **EDR (Endpoint Detection and Response):** The constructed dummy EDR is an architectural exercise based on real-world EDR principles.