Process Injection Poster - 1.pdf
Process Injection Poster - 1.pdf
EDR Internals – Research & Development
Buy now
Learn more
Course Materials
Labs Deployment Guide
EDR_Research_and_Developmet.pdf
EDR_Internals_Research_and_Development_Labs.pdf
2
EDR Research Methodology.pdf
EDR Assessment Report.pdf
Process Injection Poster - 1.pdf
Process Injection Poster - 2.pdf
Module 1: EDR Fundamentals
0 - Introduction to the Course
1 - Introduction to EDR Systems
2 - EDR Architecture
3 - The Static Engine
4 - The Dynamic Engine - Part 1
5 - The Dynamic Engine - Part 2
6 - The Heuristic Engine
7 - MDE Console Introduction
8 - The ATT&CK MITRE Framework
9 - Discovering the Static Engine Scanner Process
10 - Writing a Custom Detection Rule
11 - Windows Internals Overview
12 - The Registry
13 - Introduction to Services
14 - x64 Architecture and Assembly
15 - x64 Calling Convention
16 - Device Drivers
17 - More x64 Assembly
18 - Introduction to ETW
Module 2: EDR Research Methodology and Practical Analysis
1 - Introduction to EDR Research
2 - EDR Research Methodology
3 - OpenEDR Deployment
4 - OpenEDR Research Lead Gathering - Part 1
5 - OpenEDR Research Lead Gathering - Part 2
6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1
7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2
8 - MDE Configuration Overview
9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1
10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2
11 - EDR Testing Reports Overview - Part 1
12 - EDR Testing Reports Overview - Part 2
13 - EDR Testing Reports Overview - Part 3
14 - MDE EDR Component Reverse Engineering - Part 1
15 - MDE EDR Component Reverse Engineering - Part 2
16 - MDE EDR ETW Analysis using PerfView
17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1
18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2
Module 3: Building EDR: Foundations
1 - EDR Components
2 - Service and Driver Configuration
3 - Service Operation
4- Service Code Demo
5- More on Services
6- General Programming Guidelines
Module 4: Basic Kernel Driver
1 - Kernel Programming Basics
2 - Nt vs. Zw Functions
3 - Functions and Error codes
4 - Strings
5- Dynamic Memory Allocation
6- Dynamic Memory AllocationDemo
7 - Tagging Memory
8 - Driver Installation and Debugging
9 - Linked Lists
10 - Asserts and Tracing
11 - Handles and Objects
12 - Object Attributes
13 - Anatomy of a Driver
14 - Device and Driver Objects
15 - Creating a Device Object
16 - Securing Device Objects
17 - Symbolic Links
18 - A User Mode Client
19 - Completing the Driver
20 - Testing the Driver
21 - Debugging the Driver
22 - IRQLs
Module 5: Working with IRPs
1 - IRPs
2 - Dispatch Routines
3 - Referencing User Buffers
4 - DeviceIoControl Buffers
5 - DeviceIoControl Demo
Module 6: Kernel Notifications and Callbacks
1 - Process Notifications
2 - Communication with User Mode
3 - Process Notifications Demo
4 - Managing Proceses with Linked Lists
5 - Using an Event Object for User Kernel Notifications
6 - Tables
7 - Synchronization
8 - The Interlocked Functions
9 - Dispatcher Objects
10 - Using a Mutex
11 - Automatic Cleanup
12 - Fast Mutexes
13 - Events
14 - Executive Resources
15 - Spinlocks
16 - Thread Callbacks
17 - Image Load Callbacks
18 - Object Callbacks
19 - Q and A
20 - Registry Callbacks
Module 7: File System Mini-Filters
1 - Introduction to File System Mini-Filters
2 - Minifilter Registration
3 - Pre and Post Callbacks
4 - Filenames
5 - Contexts
6 - File Data and User Buffers
7 - Filter Communication Ports
8 - Debugging Minifilters
Module 8: EDR Bypass and Evasion
1 - Introduction to EDR Bypass & Evasion
2 - FUD Malware vs. Targeted EDR Bypass Malware
3 - Rename Obfuscation - Part 1
4 - Rename Obfuscation - Part 2
5 - Rename Obfuscation - Part 3
6 - Contrrol-flow Obfuscation - Part 1
7 - Control-flow Obfuscation - Part 2
8 - Code & Strings Runtime Decryption - Part 1
9 - Code & Strings Runtime Decryption - Part 2
10 - Dynamic API Resolve - Part 1
11 - Dynamic API Resolve - Part 2
12 - Dynamic API Resolve - Part 3
13 - Process Injection - Part 1
14 - Process Injection - Part 2
15 - APC Injection using Direct Syscalls
16 - Memory Bombing
17 - NTDS Stealer.mp4
Module 9: Detection Techniques
1 - Introduction
2 - Detection Engine
3 - Machine Learning and AI
4 - Kernel Callbacks
5 - Hooking
6 - Other Techniques
Module 10: The Future of EDRs
1 - Known DLL Q and A
2 - Hypervisors Overview
3 - The Rings
4 - Virtualization Based Security
5 - Hypervisor Power
6 - Other Ideas
7 - Final Thoughts and Summary
Preview unavailable
You must log in or sign up to view this lesson.
Login
Sign up
EDR Internals – Research & Development
Buy now
Learn more
Course Materials
Labs Deployment Guide
EDR_Research_and_Developmet.pdf
EDR_Internals_Research_and_Development_Labs.pdf
2
EDR Research Methodology.pdf
EDR Assessment Report.pdf
Process Injection Poster - 1.pdf
Process Injection Poster - 2.pdf
Module 1: EDR Fundamentals
0 - Introduction to the Course
1 - Introduction to EDR Systems
2 - EDR Architecture
3 - The Static Engine
4 - The Dynamic Engine - Part 1
5 - The Dynamic Engine - Part 2
6 - The Heuristic Engine
7 - MDE Console Introduction
8 - The ATT&CK MITRE Framework
9 - Discovering the Static Engine Scanner Process
10 - Writing a Custom Detection Rule
11 - Windows Internals Overview
12 - The Registry
13 - Introduction to Services
14 - x64 Architecture and Assembly
15 - x64 Calling Convention
16 - Device Drivers
17 - More x64 Assembly
18 - Introduction to ETW
Module 2: EDR Research Methodology and Practical Analysis
1 - Introduction to EDR Research
2 - EDR Research Methodology
3 - OpenEDR Deployment
4 - OpenEDR Research Lead Gathering - Part 1
5 - OpenEDR Research Lead Gathering - Part 2
6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1
7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2
8 - MDE Configuration Overview
9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1
10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2
11 - EDR Testing Reports Overview - Part 1
12 - EDR Testing Reports Overview - Part 2
13 - EDR Testing Reports Overview - Part 3
14 - MDE EDR Component Reverse Engineering - Part 1
15 - MDE EDR Component Reverse Engineering - Part 2
16 - MDE EDR ETW Analysis using PerfView
17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1
18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2
Module 3: Building EDR: Foundations
1 - EDR Components
2 - Service and Driver Configuration
3 - Service Operation
4- Service Code Demo
5- More on Services
6- General Programming Guidelines
Module 4: Basic Kernel Driver
1 - Kernel Programming Basics
2 - Nt vs. Zw Functions
3 - Functions and Error codes
4 - Strings
5- Dynamic Memory Allocation
6- Dynamic Memory AllocationDemo
7 - Tagging Memory
8 - Driver Installation and Debugging
9 - Linked Lists
10 - Asserts and Tracing
11 - Handles and Objects
12 - Object Attributes
13 - Anatomy of a Driver
14 - Device and Driver Objects
15 - Creating a Device Object
16 - Securing Device Objects
17 - Symbolic Links
18 - A User Mode Client
19 - Completing the Driver
20 - Testing the Driver
21 - Debugging the Driver
22 - IRQLs
Module 5: Working with IRPs
1 - IRPs
2 - Dispatch Routines
3 - Referencing User Buffers
4 - DeviceIoControl Buffers
5 - DeviceIoControl Demo
Module 6: Kernel Notifications and Callbacks
1 - Process Notifications
2 - Communication with User Mode
3 - Process Notifications Demo
4 - Managing Proceses with Linked Lists
5 - Using an Event Object for User Kernel Notifications
6 - Tables
7 - Synchronization
8 - The Interlocked Functions
9 - Dispatcher Objects
10 - Using a Mutex
11 - Automatic Cleanup
12 - Fast Mutexes
13 - Events
14 - Executive Resources
15 - Spinlocks
16 - Thread Callbacks
17 - Image Load Callbacks
18 - Object Callbacks
19 - Q and A
20 - Registry Callbacks
Module 7: File System Mini-Filters
1 - Introduction to File System Mini-Filters
2 - Minifilter Registration
3 - Pre and Post Callbacks
4 - Filenames
5 - Contexts
6 - File Data and User Buffers
7 - Filter Communication Ports
8 - Debugging Minifilters
Module 8: EDR Bypass and Evasion
1 - Introduction to EDR Bypass & Evasion
2 - FUD Malware vs. Targeted EDR Bypass Malware
3 - Rename Obfuscation - Part 1
4 - Rename Obfuscation - Part 2
5 - Rename Obfuscation - Part 3
6 - Contrrol-flow Obfuscation - Part 1
7 - Control-flow Obfuscation - Part 2
8 - Code & Strings Runtime Decryption - Part 1
9 - Code & Strings Runtime Decryption - Part 2
10 - Dynamic API Resolve - Part 1
11 - Dynamic API Resolve - Part 2
12 - Dynamic API Resolve - Part 3
13 - Process Injection - Part 1
14 - Process Injection - Part 2
15 - APC Injection using Direct Syscalls
16 - Memory Bombing
17 - NTDS Stealer.mp4
Module 9: Detection Techniques
1 - Introduction
2 - Detection Engine
3 - Machine Learning and AI
4 - Kernel Callbacks
5 - Hooking
6 - Other Techniques
Module 10: The Future of EDRs
1 - Known DLL Q and A
2 - Hypervisors Overview
3 - The Rings
4 - Virtualization Based Security
5 - Hypervisor Power
6 - Other Ideas
7 - Final Thoughts and Summary