EDR Internals – Research & Development
- Buy now
- Learn more
- Discussions
Course Materials

Labs Deployment Guide
EDR_Research_and_Developmet.pdf
EDR_Internals_Research_and_Development_Labs.pdf
EDR Research Methodology.pdf
EDR Assessment Report.pdf
Process Injection Poster - 1.pdf
Process Injection Poster - 2.pdf
Module 1: EDR Fundamentals

0 - Introduction to the Course
1 - Introduction to EDR Systems
2 - EDR Architecture
3 - The Static Engine
4 - The Dynamic Engine - Part 1
5 - The Dynamic Engine - Part 2
6 - The Heuristic Engine
7 - MDE Console Introduction
8 - The ATT&CK MITRE Framework
9 - Discovering the Static Engine Scanner Process
10 - Writing a Custom Detection Rule
11 - Windows Internals Overview
12 - The Registry
13 - Introduction to Services
14 - x64 Architecture and Assembly
15 - x64 Calling Convention
16 - Device Drivers
17 - More x64 Assembly
18 - Introduction to ETW
Module 2: EDR Research Methodology and Practical Analysis

1 - Introduction to EDR Research
2 - EDR Research Methodology
3 - OpenEDR Deployment
4 - OpenEDR Research Lead Gathering - Part 1
5 - OpenEDR Research Lead Gathering - Part 2
6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1
7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2
8 - MDE Configuration Overview
9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1
10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2
11 - EDR Testing Reports Overview - Part 1
12 - EDR Testing Reports Overview - Part 2
13 - EDR Testing Reports Overview - Part 3
14 - MDE EDR Component Reverse Engineering - Part 1
15 - MDE EDR Component Reverse Engineering - Part 2
16 - MDE EDR ETW Analysis using PerfView
17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1
18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2
Module 3: Building EDR: Foundations

1 - EDR Components
2 - Service and Driver Configuration
3 - Service Operation
4- Service Code Demo
5- More on Services
6- General Programming Guidelines
Module 4: Basic Kernel Driver

1 - Kernel Programming Basics
2 - Nt vs. Zw Functions
3 - Functions and Error codes
4 - Strings
5- Dynamic Memory Allocation
6- Dynamic Memory AllocationDemo
7 - Tagging Memory
8 - Driver Installation and Debugging
9 - Linked Lists
10 - Asserts and Tracing
11 - Handles and Objects
12 - Object Attributes
13 - Anatomy of a Driver
14 - Device and Driver Objects
15 - Creating a Device Object
16 - Securing Device Objects
17 - Symbolic Links
18 - A User Mode Client
19 - Completing the Driver
20 - Testing the Driver
21 - Debugging the Driver
22 - IRQLs
Module 5: Working with IRPs

1 - IRPs
2 - Dispatch Routines
3 - Referencing User Buffers
4 - DeviceIoControl Buffers
5 - DeviceIoControl Demo
Module 6: Kernel Notifications and Callbacks

1 - Process Notifications
2 - Communication with User Mode
3 - Process Notifications Demo
4 - Managing Proceses with Linked Lists
5 - Using an Event Object for User Kernel Notifications
6 - Tables
7 - Synchronization
8 - The Interlocked Functions
9 - Dispatcher Objects
10 - Using a Mutex
11 - Automatic Cleanup
12 - Fast Mutexes
13 - Events
14 - Executive Resources
15 - Spinlocks
16 - Thread Callbacks
17 - Image Load Callbacks
18 - Object Callbacks
19 - Q and A
20 - Registry Callbacks
Module 7: File System Mini-Filters

1 - Introduction to File System Mini-Filters
2 - Minifilter Registration
3 - Pre and Post Callbacks
4 - Filenames
5 - Contexts
6 - File Data and User Buffers
7 - Filter Communication Ports
8 - Debugging Minifilters
Module 8: EDR Bypass and Evasion

1 - Introduction to EDR Bypass & Evasion
2 - FUD Malware vs. Targeted EDR Bypass Malware
3 - Rename Obfuscation - Part 1
4 - Rename Obfuscation - Part 2
5 - Rename Obfuscation - Part 3
6 - Contrrol-flow Obfuscation - Part 1
7 - Control-flow Obfuscation - Part 2
8 - Code & Strings Runtime Decryption - Part 1
9 - Code & Strings Runtime Decryption - Part 2
10 - Dynamic API Resolve - Part 1
11 - Dynamic API Resolve - Part 2
12 - Dynamic API Resolve - Part 3
13 - Process Injection - Part 1
14 - Process Injection - Part 2
15 - APC Injection using Direct Syscalls
16 - Memory Bombing
17 - NTDS Stealer.mp4
Module 9: Detection Techniques

1 - Introduction
2 - Detection Engine
3 - Machine Learning and AI
4 - Kernel Callbacks
5 - Hooking
6 - Other Techniques
Module 10: The Future of EDRs

1 - Known DLL Q and A
2 - Hypervisors Overview
3 - The Rings
4 - Virtualization Based Security
5 - Hypervisor Power
6 - Other Ideas
7 - Final Thoughts and Summary

2 - Communication with User Mode

Students will learn why an EDR often needs to hand off analysis decisions to user mode when kernel mode cannot safely or efficiently perform full processing. Students will learn practical design patterns for sending event data to a user-mode service and acting on a returned decision.