BEST EDR Of The Market (BEOTM) – Endpoint Detection and Response Testing Tool, published on 5 January 2024, is described as a naive user-mode EDR tool intended as a testing ground for understanding and bypassing EDR’s user-mode detection methods. The article explains that BEOTM performs DLL injection at multiple levels of abstraction, hooking functions related to memory allocation and process creation by injecting a DLL into the target process, then redirecting calls to BEOTM’s internal routines.
Features listed include NT-Level Hooking, Kernel32-Level Hooking, Threads Call Stack Monitoring, IAT Hooking, and SSN Crushing. Usage details show BEOTM can be run as BestEdrOfTheMarket[.]exe with various flags to enable specific hooks and monitoring modes. Although framed as a testing tool, the piece notes BEOTM’s role in understanding and bypassing EDR detections and references related tooling and scenarios to illustrate its red team relevance. According to the article, BEOTM is downloadable via a GitHub release and linked in the post.