BlogMemesGitHubAbout

EDR Evasion

Bypassing User-land Hooks

Unhooking

  • MapModuleToMemory from C# D/Invoke

Direct Syscall

  • Memory (HellsGate, HaloGate, TartarusGate, RecycledGate)

  • Disk (GetSyscallStub from C# D/Invoke)

  • Embedded (SysWhispers 1, 2, 3)

Hardware Breakpoints

  • TamperingSyscalls2

DLL Entry Point Patching

  • SharpBlock

Process Mitigation Policy

  • Blockdlls

Behavior Detection

Call Stack Spoofing

  • Synthetic Stackframe (Draugr)

Module Stomping

Entropy Detection

  • Adding Non-Random Data

    • Dictionary Words

    • 0x00 Padding

  • Use Encoding & Avoid Encryption

    • UUID Encoding

    • Emojis

  • Avoid Embedding Payload

    • Retrieve From File

    • Fetch Remotely

Experimental EDR

PreviousMicrosoft Windows Defender Application Control (WDAC)NextOffensive Development

Last updated