base on Simulate the behavior of AV/EDR for malware development training. # CrimsonEDR ``` _____ ______ _____ _____ / ____| (_) | ____| __ \| __ \ | | _ __ _ _ __ ___ ___ ___ _ __ | |__ | | | | |__) | | | | '__| | '_ ` _ \/ __|/ _ \| '_ \| __| | | | | _ / | |____| | | | | | | | \__ \ (_) | | | | |____| |__| | | \ \ \_____|_| |_|_| |_| |_|___/\___/|_| |_|______|_____/|_| \_\ Developed by : Matthias Ossard https://github.com/Helixo32 ``` CrimsonEDR is an open-source project engineered to identify specific malware patterns, offering a tool for honing skills in circumventing Endpoint Detection and Response (EDR). By leveraging diverse detection methods, it empowers users to deepen their understanding of security evasion tactics. ## Features | Detection | Description | |---------------------------------------------|---------------------------------------------------------------------------------------------------| | Direct Syscall | Detects the usage of direct system calls, often employed by malware to bypass traditional API hooks.| | NTDLL Unhooking | Identifies attempts to unhook functions within the NTDLL library, a common evasion technique. | | AMSI Patch | Detects modifications to the Anti-Malware Scan Interface (AMSI) through byte-level analysis. | | ETW Patch | Detects byte-level alterations to Event Tracing for Windows (ETW), commonly manipulated by malware to evade detection. | | PE Stomping | Identifies instances of PE (Portable Executable) stomping. | | Reflective PE Loading | Detects the reflective loading of PE files, a technique employed by malware to avoid static analysis. | | Unbacked Thread Origin | Identifies threads originating from unbacked memory regions, often indicative of malicious activity. | | Unbacked Thread Start Address | Detects threads with start addresses pointing to unbacked memory, a potential sign of code injection. | | API hooking | Places a hook on the NtWriteVirtualMemory function to monitor memory modifications. | | Custom Pattern Search | Allows users to search for specific patterns provided in a JSON file, facilitating the identification of known malware signatures. | ## Installation To get started with CrimsonEDR, follow these steps: 1. Install dependancy: ```bash sudo apt-get install gcc-mingw-w64-x86-64 ``` 2. Clone the repository: ```bash git clone https://github.com/Helixo32/CrimsonEDR ``` 3. Compile the project: ```bash cd CrimsonEDR; chmod +x compile.sh; ./compile.sh ``` ## ⚠️ Warning Windows Defender and other antivirus programs may flag the DLL as malicious due to its content containing bytes used to verify if the AMSI has been patched. Please ensure to whitelist the DLL or disable your antivirus temporarily when using CrimsonEDR to avoid any interruptions. ## Usage To use CrimsonEDR, follow these steps: 1. Make sure the `ioc.json` file is placed in the current directory from which the executable being monitored is launched. For example, if you launch your executable to monitor from `C:\Users\admin\`, the DLL will look for `ioc.json` in `C:\Users\admin\ioc.json`. Currently, `ioc.json` contains patterns related to `msfvenom`. You can easily add your own in the following format: ``` { "IOC": [ ["0x03", "0x4c", "0x24", "0x08", "0x45", "0x39", "0xd1", "0x75"], ["0xf1", "0x4c", "0x03", "0x4c", "0x24", "0x08", "0x45", "0x39"], ["0x58", "0x44", "0x8b", "0x40", "0x24", "0x49", "0x01", "0xd0"], ["0x66", "0x41", "0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40"], ["0x8b", "0x0c", "0x48", "0x44", "0x8b", "0x40", "0x1c", "0x49"], ["0x01", "0xc1", "0x38", "0xe0", "0x75", "0xf1", "0x4c", "0x03"], ["0x24", "0x49", "0x01", "0xd0", "0x66", "0x41", "0x8b", "0x0c"], ["0xe8", "0xcc", "0x00", "0x00", "0x00", "0x41", "0x51", "0x41"] ] } ``` 2. Execute `CrimsonEDRPanel.exe` with the following arguments: - `-d <path_to_dll>`: Specifies the path to the `CrimsonEDR.dll` file. - `-p <process_id>`: Specifies the Process ID (PID) of the target process where you want to inject the DLL. For example: ```bash .\CrimsonEDRPanel.exe -d C:\Temp\CrimsonEDR.dll -p 1234 ``` <img src="assets/CrimsonEDR.gif" alt="CrimsonEDR demo"> ## Useful Links Here are some useful resources that helped in the development of this project: - [Windows Processes, Nefarious Anomalies, and You](https://pre.empt.blog/2023/windows-processes-nefarious-anomalies-and-you) - [MalDev Academy](https://maldevacademy.com/) ## Contact For questions, feedback, or support, please reach out to me via: - **Discord** : helixo32 - **LinkedIn** : [Matthias Ossard](https://www.linkedin.com/in/matthias-ossard/) ", Assign "at most 3 tags" to the expected json: {"id":"8155","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"