BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) tool designed to serve as a testing ground for understanding and bypassing EDR’s user-mode detection methods that are frequently used by these security solutions.
BEOTM performs DLL injection at multiple levels of abstraction, hooking sensitive functions such as those used for memory allocation, process or thread creation/manipulation, changing memory pools access rights, etc. This hooking is achieved by injecting the DLL into the target process.
Once injected, the DLL will redirect calls from hooked functions to its own internal routines to inspect their content and then decide whether or not to proceed with the call by invoking the original routine.
Features of BEOTM Endpoint Detection and Response Testing Tool
- NT-Level Hooking
- Kernel32-Level Hooking
- Threads Call Stack Monitoring
- IAT Hooking
- SSN Crushing
Usage of BEOTM Endpoint Detection and Response Testing Tool
Usage: BestEdrOfTheMarket.exe [args]
/help Shows this help message and quit
/v Verbosity
/iat IAT hooking
/stack Threads call stack monitoring
/nt Inline Nt-level hooking
/k32 Inline Kernel32/Kernelbase hooking
/ssn SSN crushing
You can download BEOTM here:
BestEdrOfTheMarket-1.0.0-Win64.zip
Or read more here.