SensePost | Sensecon 23: from windows drivers to an almost fully working edr

Basically a for-dummies guide to how EDR works with complete working code and instructions for a kernel-mode PoC. Probably the best 101-level guide to this that I have seen.

The (Anti-)EDR Compendium

https://github.com/naksyn/Pyramid

Pyramid is composed of:

1. a Python HTTP/S server that can deliver encrypted files (chacha, xor)

2. Python modules that can load in-memory dependencies of offensive tooling such as Bloodhound-py, secretsdump, LaZagne, Pythonnet, DonPAPI, pythonmemorymodule, paramiko, pproxy.

3. fixed Python dependencies (zip files) that can be imported in memory

4. Python cradle that can download, decrypt and execute in memory Pyramid modules