Evading EDR
The Definitive Guide to Defeating Endpoint Detection Systems
A component-by-component teardown of how modern EDR sensors actually collect telemetry, and where each data source can be starved, blinded, or bypassed.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Matt Hand
- Published
- 2024
- Publisher
- No Starch Press
- Pages
- 312
- Language
- English
Prerequisites
Comfortable with Windows internals, the PE format, and writing offensive tooling in C or C#. This is not where you learn those.
Read this if
Red teamers and detection engineers who want to reason about EDR from the sensor up rather than copy-pasting the bypass of the week.
Skip this if
Anyone wanting a turnkey list of working bypasses. Skip this if you don't run Windows or won't sit through the internals.
Key takeaways
- EDR is a collection of telemetry sources, not a monolith; evasion means knowing which source sees what.
- Most durable bypasses attack the sensor's data collection, not its detection logic.
- Vendor-agnostic understanding outlives any specific bypass, which vendors patch fast.
Notes
The rare offensive book that explains the defense well enough to be useful to blue teams. Hand resists the urge to ship a cookbook and instead teaches you the plumbing, ETW, kernel callbacks, minifilters, AMSI, so you can derive your own bypasses. The trade-off is that specific techniques age quickly; the mental model does not.
What to read before
What to read before Evading EDR →Intermediate · 2018
Malware Data Science
Saxe and Sanders apply machine-learning techniques (classification, clustering, deep learning) to malware detection and attribution, with working Python code and real corpora.
Intermediate · 2008
Hacking: The Art of Exploitation
A from-first-principles tour of low-level exploitation that still teaches the mindset two decades later.
Intermediate · 2012
Practical Malware Analysis
Still the gold standard textbook for static and dynamic malware analysis on Windows.
What to read next
What to read after Evading EDR →Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.
Advanced · 2014
The Art of Memory Forensics
Ligh, Case, Levy, and Walters' canonical reference on memory analysis with Volatility — the technique, the tooling, and the operating-system internals it depends on, across Windows, Linux, and macOS.
Advanced · 2024
Windows Security Internals
Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.
Explore similar books
Alternatives to Evading EDR →Intermediate · 2018
Malware Data Science
Saxe and Sanders apply machine-learning techniques (classification, clustering, deep learning) to malware detection and attribution, with working Python code and real corpora.
Advanced · 2024
Windows Security Internals
Forshaw takes apart the Windows security model from the SRM and access tokens up through Kerberos, with live PowerShell you can run against your own machine. The most authoritative single source on how Windows actually decides who can do what.
Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.