[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-45775-en":3,"doc-seo-45775-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},45775,2336464648322,"Aria","https://ap-avatar.wpscdn.com/avatar/2200025388227c56fec?_k=1778556882303663488",6,"Technology","Evading EDR","Early Access edition of “Evading EDR” by Matt Hand outlines how endpoint detection and response systems work and how detection is achieved. The introduction frames modern compromises as inevitable and emphasizes detecting adversary activity on compromised hosts early and with actionable precision. It describes EDR agents as software components that create, ingest, process, and transmit system activity data for determining intent, and explains how SOC analysts, detection engineers, and other teams rely on EDR-generated alerts and strategies.","EVA D INGE DR  \nA C O M P R E H E N S I V E G U I D E T O D E F E A T I N GE N D P O I N T D E T E C T I O N S Y S T E M S  \nM A T T H A N D  \nplaceholder NOT FINAL  \nNO STA RC H P R ESSEA R LY ACC ESS P ROG RA M :  \nFE E D BAC K WE LCOME!  \nWelcome to the Early Access edition of the as yet unpublished Evading EDR by Matt Hand! As a prepublication title, this book may be incomplete and some chapters may not have been proofread.  \nOur goal is always to make the best books possible, and we look forward to hearing your thoughts. If you have any comments or questions, email us [at](at earlyaccess@nostarch.com. If you have specific feedback for us)[ earlyaccess@nostarch.com](at earlyaccess@nostarch.com. If you have specific feedback for us)[. If you have specific feedback for us](at earlyaccess@nostarch.com. If you have specific feedback for us), please include the page number, book title, and edition date in your note, and we’ll be sure to review it. We appreciate your help and support!  \nWe’ll email you as new chapters become available. In the meantime, enjoy!  \nEVA D I NG E D R  \nMATT HA N D  \nEarly Access edition, 05/24/23  \nCopyright © 2023 by Matt Hand.  \nISBN-13: 978-1-7185-0334-2 (print)  \nISBN-13: 978-1-7185-0335-9 (ebook)  \nPublisher: William Pollock  \nManaging Editor: Jill Franklin  \nProduction Manager: Sabrina Plomitallo-González  \nProduction Editor: Jennifer Kepler  \nDevelopmental Editor: Frances Saux  \nInterior Design: Octopod Studios  \nTechnical Reviewer: Joe Desimone  \nCopyeditor: Audrey Doyle  \nNo Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.  \nAll rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.  \nThe information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.  \nCO NTE NTS  \nAcknowledgments  ................................. v  \nIntroduction  .................................... vii  \nChapter 1: E DR-chitecture  ........................... 1  \nChapter 2: Function-Hooking DLLs  ..................... 17  \nChapter 3: Process- and Thread-Creation Notifications  ...... 33  \nChapter 4: Object Notifications  ...................... 61  \nChapter 5: Image-Load and Registry Notifications  ......... 79  \nChapter 6: Filesystem Minifilter Drivers  ................ 103  \nChapter 7: Network Filter Drivers  .................... 123  \nChapter 8: Event Tracing for Windows  ................ 143  \nChapter 9: Scanners  ............................. 171  \nChapter 10: Antimalware Scan Interface  ............... 183  \nChapter 11: Early Launch Antimalware Drivers  .......... 201  \nChapter 12: Microsoft-Windows-Threat-Intelligence  ........ 215  \nChapter 13: Case Study: A Detection-Aware Attack  ....... 237  \nAppendix: Auxiliary Sources  ....................... 263  \nIndex  ....................................... 000  \nThe chapters in red are included in this Early Access PDF.  \nAC K NOWL E DG M E NTS  \nI wrote this book standing on the shoulders of giants. I’d specifically like to thank all the people who listened to my crazy ideas, answered my 3 am questions, and kept me headed in the right direction while writing this book, the nam","cbCail1XIfLu0rjg","https://ap.wps.com/l/cbCail1XIfLu0rjg","pdf",5164737,1,284,"English","en",105,"# Introduction\n## EDR as non–black-box security\n## EDR agent data flow and intent detection\n# EDR mechanisms and notification pathways\n## EDR-chitecture\n## Function-Hooking DLLs\n## Process- and Thread-Creation Notifications\n## Object Notifications\n## Image-Load and Registry Notifications\n## Filesystem Minifilter Drivers\n## Network Filter Drivers\n## Event Tracing for Windows\n## Scanners\n## Antimalware Scan Interface\n## Early Launch Antimalware Drivers\n## Microsoft-Windows-Threat-Intelligence\n## Case Study: A Detection-Aware Attack\n# Supporting material\n## Auxiliary Sources\n# Index","[{\"question\":\"What problem does the introduction say modern security must address regarding compromises?\",\"answer\":\"It states that network compromises are inevitable and that security focus should shift to detecting adversary activity on compromised hosts as early as possible with enough precision to respond effectively.\"},{\"question\":\"How does the document describe what an EDR agent does?\",\"answer\":\"An EDR agent is described as multiple software components that create, ingest, process, and transmit data about system activity to a central node to determine whether behavior is malicious or benign.\"},{\"question\":\"Who uses EDR outputs inside a security organization?\",\"answer\":\"SOC analysts receive alerts produced by EDR, which relies on detection strategies created by detection engineers, while other engineers maintain and deploy the agents and servers.\"}]",1783465749,716,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"evading-edr","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/evading-edr/45775/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-11","2026-07-07",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does the introduction say modern security must address regarding compromises?","Question",{"text":75,"@type":76},"It states that network compromises are inevitable and that security focus should shift to detecting adversary activity on compromised hosts as early as possible with enough precision to respond effectively.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does the document describe what an EDR agent does?",{"text":80,"@type":76},"An EDR agent is described as multiple software components that create, ingest, process, and transmit data about system activity to a central node to determine whether behavior is malicious or benign.",{"name":82,"@type":73,"acceptedAnswer":83},"Who uses EDR outputs inside a security organization?",{"text":84,"@type":76},"SOC analysts receive alerts produced by EDR, which relies on detection strategies created by detection engineers, while other engineers maintain and deploy the agents and servers.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]