search
BlogMemesGitHubAbout

EDR Evasion

hashtag
Bypassing User-land Hooks

hashtag
Unhooking

  • MapModuleToMemory from C# D/Invoke

hashtag
Direct Syscall

  • Memory (HellsGate, HaloGate, TartarusGate, RecycledGate)

  • Disk (GetSyscallStub from C# D/Invoke)

  • Embedded (SysWhispers 1, 2, 3)

hashtag
Hardware Breakpoints

  • TamperingSyscalls2

hashtag
DLL Entry Point Patching

  • SharpBlock

hashtag
Process Mitigation Policy

  • Blockdlls

hashtag
Behavior Detection

hashtag
Call Stack Spoofing

  • Synthetic Stackframe (Draugr)

hashtag
Module Stomping

hashtag
Entropy Detection

  • Adding Non-Random Data

    • Dictionary Words

    • 0x00 Padding

  • Use Encoding & Avoid Encryption

    • UUID Encoding

    • Emojis

  • Avoid Embedding Payload

    • Retrieve From File

    • Fetch Remotely

hashtag
Experimental EDR

PreviousMicrosoft Windows Defender Application Control (WDAC)NextOffensive Development

Last updated