CrimsonEDR is an open-source project engineered to identify specific malware patterns, offering a tool for honing skills in circumventing Endpoint Detection and Response (EDR). By leveraging diverse detection methods, it empowers users to deepen their understanding of security evasion tactics.
Features
| Detection | Description |
|---|---|
| Direct Syscall | Detects the usage of direct system calls, often employed by malware to bypass traditional API hooks. |
| NTDLL Unhooking | Identifies attempts to unhook functions within the NTDLL library, a common evasion technique. |
| AMSI Patch | Detects modifications to the Anti-Malware Scan Interface (AMSI) through byte-level analysis. |
| ETW Patch | Detects byte-level alterations to Event Tracing for Windows (ETW), commonly manipulated by malware to evade detection. |
| PE Stomping | Identifies instances of PE (Portable Executable) stomping. |
| Reflective PE Loading | Detects the reflective loading of PE files, a technique employed by malware to avoid static analysis. |
| Unbacked Thread Origin | Identifies threads originating from unbacked memory regions, often indicative of malicious activity. |
| Unbacked Thread Start Address | Detects threads with start addresses pointing to unbacked memory, a potential sign of code injection. |
| API hooking | Places a hook on the NtWriteVirtualMemory function to monitor memory modifications. |
| Custom Pattern Search | Allows users to search for specific patterns provided in a JSON file, facilitating the identification of known malware signatures. |
Installation
To get started with CrimsonEDR, follow these steps:
- Install dependancy:
bash sudo apt-get install gcc-mingw-w64-x86-64 - Clone the repository:
bash git clone https://github.com/Helixo32/CrimsonEDR - Compile the project:
bash cd CrimsonEDR; chmod +x compile.sh; ./compile.sh
⚠️ Warning
Windows Defender and other antivirus programs may flag the DLL as malicious due to its content containing bytes used to verify if the AMSI has been patched. Please ensure to whitelist the DLL or disable your antivirus temporarily when using CrimsonEDR to avoid any interruptions.
Usage
To use CrimsonEDR, follow these steps:
- Make sure the
ioc.jsonfile is placed in the current directory from which the executable being monitored is launched. For example, if you launch your executable to monitor fromC:\Users\admin\the DLL will look forioc.jsoninC:\Users\admin\ioc.json. Currently,ioc.jsoncontains patterns related tomsfvenom. You can easily add your own in the following format:
{
"IOC": (
("0x03", "0x4c", "0x24", "0x08", "0x45", "0x39", "0xd1", "0x75"),
("0xf1", "0x4c", "0x03", "0x4c", "0x24", "0x08", "0x45", "0x39"),
("0x58", "0x44", "0x8b", "0x40", "0x24", "0x49", "0x01", "0xd0"),
("0x66", "0x41", "0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40"),
("0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40", "0x1c", "0x49"),
("0x01", "0xc1", "0x38", "0xe0", "0x75", "0xf1", "0x4c", "0x03"),
("0x24", "0x49", "0x01", "0xd0", "0x66", "0x41", "0x8b", "0x0c"),
("0xe8", "0xcc", "0x00", "0x00", "0x00", "0x41", "0x51", "0x41")
)
}
-
Execute
CrimsonEDRPanel.exewith the following arguments:-
-d <path_to_dll>: Specifies the path to theCrimsonEDR.dllfile. -
-p <process_id>: Specifies the Process ID (PID) of the target process where you want to inject the DLL.
-
For example:
.\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234
Useful Links
Here are some useful resources that helped in the development of this project:
Contact
For questions, feedback, or support, please reach out to me via:
- Discord : helixo32
- LinkedIn : Matthias Ossard
CrimsonEDR – Simulate The Behavior Of AV/EDR For Malware Development Training
Reviewed by Zion3R
on
8:30 AM
Rating: 5
GIPHY App Key not set. Please check settings