EDR Internals – Research & Development
- Buy now
- Learn more
- Discussions
Course Materials

Labs Deployment Guide
EDR_Research_and_Developmet.pdf
EDR_Internals_Research_and_Development_Labs.pdf
EDR Research Methodology.pdf
EDR Assessment Report.pdf
Process Injection Poster - 1.pdf
Process Injection Poster - 2.pdf
Module 1: EDR Fundamentals

0 - Introduction to the Course
1 - Introduction to EDR Systems
2 - EDR Architecture
3 - The Static Engine
4 - The Dynamic Engine - Part 1
5 - The Dynamic Engine - Part 2
6 - The Heuristic Engine
7 - MDE Console Introduction
8 - The ATT&CK MITRE Framework
9 - Discovering the Static Engine Scanner Process
10 - Writing a Custom Detection Rule
11 - Windows Internals Overview
12 - The Registry
13 - Introduction to Services
14 - x64 Architecture and Assembly
15 - x64 Calling Convention
16 - Device Drivers
17 - More x64 Assembly
18 - Introduction to ETW
Module 2: EDR Research Methodology and Practical Analysis

1 - Introduction to EDR Research
2 - EDR Research Methodology
3 - OpenEDR Deployment
4 - OpenEDR Research Lead Gathering - Part 1
5 - OpenEDR Research Lead Gathering - Part 2
6 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 1
7 - Dancing with OpenEDR's Anti-Tampering Mechanism - Part 2
8 - MDE Configuration Overview
9 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 1
10 - Dancing with MDE's (Defender for Enterprise) Anti-Tampering Mechanism - Part 2
11 - EDR Testing Reports Overview - Part 1
12 - EDR Testing Reports Overview - Part 2
13 - EDR Testing Reports Overview - Part 3
14 - MDE EDR Component Reverse Engineering - Part 1
15 - MDE EDR Component Reverse Engineering - Part 2
16 - MDE EDR ETW Analysis using PerfView
17 - MDE EDR PPL Bypass & Reverse Engineering - Part 1
18 - MDE EDR PPL Bypass & Reverse Engineering - Part 2
Module 3: Building EDR: Foundations

1 - EDR Components
2 - Service and Driver Configuration
3 - Service Operation
4- Service Code Demo
5- More on Services
6- General Programming Guidelines
Module 4: Basic Kernel Driver

1 - Kernel Programming Basics
2 - Nt vs. Zw Functions
3 - Functions and Error codes
4 - Strings
5- Dynamic Memory Allocation
6- Dynamic Memory AllocationDemo
7 - Tagging Memory
8 - Driver Installation and Debugging
9 - Linked Lists
10 - Asserts and Tracing
11 - Handles and Objects
12 - Object Attributes
13 - Anatomy of a Driver
14 - Device and Driver Objects
15 - Creating a Device Object
16 - Securing Device Objects
17 - Symbolic Links
18 - A User Mode Client
19 - Completing the Driver
20 - Testing the Driver
21 - Debugging the Driver
22 - IRQLs
Module 5: Working with IRPs

1 - IRPs
2 - Dispatch Routines
3 - Referencing User Buffers
4 - DeviceIoControl Buffers
5 - DeviceIoControl Demo
Module 6: Kernel Notifications and Callbacks

1 - Process Notifications
2 - Communication with User Mode
3 - Process Notifications Demo
4 - Managing Proceses with Linked Lists
5 - Using an Event Object for User Kernel Notifications
6 - Tables
7 - Synchronization
8 - The Interlocked Functions
9 - Dispatcher Objects
10 - Using a Mutex
11 - Automatic Cleanup
12 - Fast Mutexes
13 - Events
14 - Executive Resources
15 - Spinlocks
16 - Thread Callbacks
17 - Image Load Callbacks
18 - Object Callbacks
19 - Q and A
20 - Registry Callbacks
Module 7: File System Mini-Filters

1 - Introduction to File System Mini-Filters
2 - Minifilter Registration
3 - Pre and Post Callbacks
4 - Filenames
5 - Contexts
6 - File Data and User Buffers
7 - Filter Communication Ports
8 - Debugging Minifilters
Module 8: EDR Bypass and Evasion

1 - Introduction to EDR Bypass & Evasion
2 - FUD Malware vs. Targeted EDR Bypass Malware
3 - Rename Obfuscation - Part 1
4 - Rename Obfuscation - Part 2
5 - Rename Obfuscation - Part 3
6 - Contrrol-flow Obfuscation - Part 1
7 - Control-flow Obfuscation - Part 2
8 - Code & Strings Runtime Decryption - Part 1
9 - Code & Strings Runtime Decryption - Part 2
10 - Dynamic API Resolve - Part 1
11 - Dynamic API Resolve - Part 2
12 - Dynamic API Resolve - Part 3
13 - Process Injection - Part 1
14 - Process Injection - Part 2
15 - APC Injection using Direct Syscalls
16 - Memory Bombing
17 - NTDS Stealer.mp4
Module 9: Detection Techniques

1 - Introduction
2 - Detection Engine
3 - Machine Learning and AI
4 - Kernel Callbacks
5 - Hooking
6 - Other Techniques
Module 10: The Future of EDRs

1 - Known DLL Q and A
2 - Hypervisors Overview
3 - The Rings
4 - Virtualization Based Security
5 - Hypervisor Power
6 - Other Ideas
7 - Final Thoughts and Summary

4 - Rename Obfuscation - Part 2

4 – Rename Obfuscation (Part 2)

Key concept

Renaming obfuscation extends beyond PE section names. It also applies to function names, variable names, and internal logic. Even simple renaming can meaningfully impact static scoring mechanisms in EDRs and AV engines.

Bypassing whitelist / allow-list restrictions

• Some organizations use strict application whitelisting (e.g., AppLocker allow-list mode).
• Even with strong restrictions, attackers can abuse electron-based applications such as Chrome, Teams, or VSCode to run arbitrary code.
• This technique leverages proxy execution, where a trusted application becomes the launcher of malicious logic.
• Attackers have already weaponized this method after its publication, demonstrating the practical value of the finding.

Section-name manipulation

• Renaming PE sections (e.g., .text → text1 or arbitrary names) can influence detection scores.
• Some EDRs rely on section naming conventions; altering them may lower or increase suspicion depending on the engine’s scoring model.
• Renaming alone does not break program functionality because the section name is not functionally tied to execution.

Function name and parameter obfuscation

• Renaming sensitive functions (e.g., executeShell → run) reduces the chance of signature triggers.
• While PDB files are rarely shipped with malware, development builds may unintentionally leak:
– Developer names
– Debug paths
– Internal project structure
• Ensuring release builds disable PDB generation prevents leakage and reduces static indicators.

Real-world example of poor blue-team awareness

• Organizations often underestimate how easy simple bypasses can be.
• Examples include:
– Using ftp.exe to spawn a shell (!cmd) despite CMD being blocked
– Copying system binaries to a new filename to bypass hash or path-based rules
• Demonstrates a recurring theme: defenders frequently implement naive controls without adversarial thinking.

Core takeaway

Rename obfuscation is a simple but impactful method. Even minimal changes—section names, function names, or avoiding debug artifacts—can influence static scores, bypass block rules, and reduce detection likelihood.