Intro and plan for the Sanctum EDR

Project plan for the Sanctum EDR build in Rust.

Intro

The project can be found here on my GitHub.

Sanctum is going to be an EDR, build in Rust, designed to perform the job of both an antivirus (AV) and Endpoint Detection and Response (EDR). It is no small feat building an EDR, and I am somewhat anxious about the path ahead; but you have to start somewhere and I’m starting with a blog post. If nothing else, this series will help me convey my own development and learning, as well as keep me motivated to keep working on this - all too often with personal projects I start something and then jump to the next shiny thing I think of. If you are here to learn something, hopefully I can impart some knowledge through this process.

There are a lot of challenges here, none of which are comparable to developing the kernel mode driver for my EDR in Rust. There’s shockingly little in the space of blog posts or tutorials for driver development in Rust for Windows, so I’ll be reliant mostly upon the documentation from the Microsoft Windows Drivers (Rust) GitHub repo. This was published September 2023, so only 10 months ago from the time of writing!

I plan to build this EDR also around offensive techniques I’m demonstrating for this blog, hopefully to show how certain attacks could be stopped or detected - or it may be I can’t figure out a way to stop the attack! Either way, it will be fun!

Project Plan

The features I want to implement in this project as as below; I am hoping that this serves roughly as a guide for my milestones, I will be adding to this list no doubt as I go through my journey. If you are reading this and can think of any suggestions, please get in touch with me via Twitter, GitHub, Email (fluxsec@proton.me) or YouTube!

Kernel driver

• [x] Establish a simple Hello World driver
• [ ] Define communication protocols for the driver and user mode applications
• [ ] Inject the DLL into all new processes
  • [ ] PsSetCreateProcessNotifyRoutineEx may be of assistance
• [ ] Kill processes
• [ ] Message the telemetry service for dropped files to scan
• [ ] Intercept syscalls
• [ ] Intercept when a executable is launched and notify telemetry service
  • [ ] PsSetCreateProcessNotifyRoutineEx
• [ ] Intercept a DLL being loaded into a process (under suspicious circumstances)
  • [ ] PsSetLoadImageNotifyRoutine
• [ ] Intercept a new thread creation (under suspicious circumstances)
  • [ ] PsSetCreateThreadNotifyRoutine
• [ ] Intercept WriteProcessMemory; do some digging what can we see. Maybe alert the DLL to do some more analysis of the process?
• [ ] Intercept permission changes for memory regions; if it happens too often then this could be a red flag?
• [ ] Intercept registry changes
• [ ] Intercept handle requests for privileged processes
• [ ] Intercept any process trying to access password stores (like browsers) to try stop stealer malware
• [ ] Detect when the telemetry service is killed - this should be a big red flag. Restart the application if this happens and figure out what killed it
• [ ] Monitor ETW-Threat-Intelligence (& any other ETW’s), and signal the telemetry service if something triggers for logging

DLL

• [ ] Send messages to the kernel driver
• [ ] Execute in a thread every 5 seconds per process
• [ ] Hash certain NTAPI functions to detect tampering to thwart ETW patching` and compare against hashes generated when the DLL is loaded
• [ ] Hook certain NTAPI functions to implement the syscall stub myself, and implement logic to figure out if its malicious
• [ ] Check for regions of memory with execute flags
• [ ] Memory dump a process for forensic preservation if the kernel module says kill

Telemetry service

This could also serve as a user mode AV potentially. For now, I’ll build the plan as if that is what it is doing

• [ ] Scan each new file created on disk for static IOCs
• [ ] Scan each new file created on disk for import address table analysis
• [ ] Scan each new file created on disk for malicious segments / patterns of behaviour
  • [ ] Direct PEB access
  • [ ] Bad entropy
  • [ ] Direct syscalls in user .text segments
• [ ] Full disk scan
• [ ] GUI
• [ ] Run file in sandbox once alerted to an executable launching from the kernel
• [ ] Download IOCs from an online database, and store locally
• [ ] Export the data in a way in which it can be ingested by a SIEM

Not sure where to put them

• [ ] Ransomware detection
• [ ] Integration with AMSI

Sources of inspiration

Collating a list of resources as I do my research for the project, these can be thought of as bookmarks to come back to later to help me find implementation inspiration for the feature list of Sanctum EDR.

• https://sensepost.com/blog/2024/sensecon-23-from-windows-drivers-to-an-almost-fully-working-edr/
• https://github.com/sensepost/mydumbedr
• https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/subscribing-to-process-creation-thread-creation-and-image-load-notifications-from-a-kernel-driver
• https://synzack.github.io/Blinding-EDR-On-Windows/

Final thoughts

This is about it for the first post in the series. I’ll post whenever I feel like I have done something worth talking about, or made progress in something new I have learned. As I said, this is more about me documenting my growth and learning, rather than being a tutorial per-se. I hope you enjoy this series and take something positive away from it!

Until next time, ciao!