Table of Contents

Introduction
Chapter 1: EDR-chitecture
Chapter 2: Function-Hooking DLLs
Chapter 3: Thread and Process Notifications
Chapter 4: Object Notifications
Chapter 5: Image-Load and Registry Notifications
Chapter 6: Minifilters
Chapter 7: Network Filter Drivers
Chapter 8: Event Tracing for Windows
Chapter 9: Scanners
Chapter 10: Anti-Malware Scan Interface
Chapter 11: Early Launch Anti-Malware Drivers
Chapter 12: Microsoft-Windows-Threat-Intelligence
Chapter 13: A Detection-Aware Attack
Appendix

About the Author

Matt Hand is an experienced red team operator with over a decade of experience. His primary areas of focus are in vulnerability research and EDR evasion where he spends a large amount of time conducting independent research, developing tooling, and publishing content. Matt is currently a Service Architect at SpecterOps where he focuses on improving the technical and execution capabilities of the Adversary Simulation team, as well as serving as a subject matter expert on evasion tradecraft.

Reviews

"A great book for red and blue [people]! It is a great resource for anyone who wants to learn more about how EDRs work and Windows internals with a security perspective."
—Olaf Hartong, @olafhartong, researcher at FalconForce

"If you spend any time around EDR's, or are just interested in how they work... this book is an invaluable addition to your collection."
—Adam Chester, @_xpn_, RedTeamer at TrustedSec

"A masterclass in understanding EDR internals...a very relevant handbook for both attackers and defenders to learn about the strengths, but also limitations and blind spots of EDR software."
—Arris Huijgen, @bitsadmin