Awesome EDR Evasion

1739453461627.webp

EDR Evasion Techniques
๐Ÿ”น Syscall Evasion
Direct Syscalls: Calling syscalls directly to avoid API hooks.
Indirect Syscalls: Using techniques like "Hell's Gate" or "Halo's Gate" to resolve and execute syscalls dynamically.
Recycled Gate: Reusing a legitimate syscall from a different process.
Tartarus Gate: A novel method of syscall obfuscation.
Syswhispers2/Syswhispers3: Generating undetectable syscalls.
๐Ÿ”— Hell's and Halo's Gate ๐Ÿ”— Recycled Gate ๐Ÿ”— Tartarus Gate ๐Ÿ”— SysWhispers

๐Ÿ”น API Unhooking
Unhooking NTDLL: Restoring the original NTDLL memory region.
Syscall Stubbing: Using alternative API calls to bypass hooks.
Patch Unhooking: Overwriting memory regions to remove hooks.
Manually Mapping DLLs: Loading clean DLLs into memory.
Heavens Gate: Transitioning between 32-bit and 64-bit code to bypass hooks.
Hookchain
๐Ÿ”— Unhooking Patch ๐Ÿ”— Windows API for Red Team ๐Ÿ”— Direct Syscalls & Unhooking
๐Ÿ”— Hookchain

๐Ÿ”น Injection Techniques
APC Queue Injection
AddressOfEntryPoint Code Injection
Classic Code Injection (API Obfuscation)
Classic Code Injection (Local)
Classic Code Injection (Remote)
Classic Code Injection (Remote with VirtualProtect)
Classic DLL Injection
Early Bird Code Injection
Injection Through Fiber
Module Stomping
Mokingjay Injection
NTAPI Injection
NtCreateSection & MapViewOfSection Injection
PEB Walk API Obfuscation Injection
PEB Walk Injection
PE Code Injection
Process Ghosting
Process Hollowing
RWX Hunting Injection
Reflective DLL Injection
Reflective DLL Loading (Lagos Island)
Remote Thread Hijacking
Direct Syscalls Injection
Indirect Syscalls Injection
๐Ÿ”— EDR Bypass Methods ๐Ÿ”— Native .NET Code Injection

๐Ÿ”น Sandbox & VM Evasion
Checking CPU Cores: Many sandboxes run on a single core.
Timing Attacks: Delaying execution to avoid automated analysis.
User Interaction Checks: Requiring mouse movement or keystrokes.
Environment Artifacts: Checking registry, MAC addresses, or system variables.
Hardware Fingerprinting: Identifying VM artifacts like disk serial numbers.
Hypervisor Detection: Using CPUID and other instructions.
Instruction Counting: Detecting instruction execution anomalies in VMs.
Stealth Sleep: Avoiding modified sleep functions used in analysis.
๐Ÿ”— al-khaser Anti-VM Toolkit

๐Ÿ”น LOLBins & LOLDrivers
Living Off The Land Binaries (LOLBins): Using trusted Windows executables for malicious purposes.
BYOVD (Bring Your Own Vulnerable Driver): Exploiting signed vulnerable drivers to disable security products.
Abusing Windows Defender & Other Security Services: Using native features against the system.
๐Ÿ”— EDR Bypass with LOLBins
๐Ÿ”— Loldrivers
๐Ÿ”— BYOVD Kill EDR

๐Ÿ”น AMSI Bypass
AMSI Patch: Overwriting AMSI.dll functions in memory.
AMSI Unhooking: Removing hooks in AMSI functions.
AMSI Reflection: Using reflection in PowerShell to disable AMSI.
AMSI Argument Spoofing: Modifying arguments to bypass scanning.
Environment Variable Poisoning: Exploiting environment variables to disable AMSI.
๐Ÿ”— AMSI Bypass Techniques
๐Ÿ”— AMSI Bypass via Reflection

๐Ÿ”น LSASS Dumping & Credential Theft
Mimikatz: Extracting credentials from LSASS.
MiniDumpWriteDump: Dumping LSASS memory.
NTDLS Cloning: Bypassing credential protection by cloning LSASS.
Direct Syscalls for LSASS Dump: Avoiding API calls monitored by EDR.
Token Impersonation: Using stolen tokens for privilege escalation.
๐Ÿ”— Mimikatz
๐Ÿ”— SharpDump

๐Ÿ”น Protected Process Light (PPL) Bypass
Using Vulnerable Drivers: Modifying process privileges.
Token Manipulation: Using stolen tokens to disable PPL.
Memory Patching: Modifying system memory to remove PPL protection.
๐Ÿ”— PPLdump
๐Ÿ”— SharpPPL

๐Ÿ› ๏ธ Tools for Evasion
Veil Evasion Framework
Avet Project
Avlator
Shellcode Templates
Mortar Evasion
AtomPePacker
Phantom Evasion
PEObfuscator
AMSI Bypass Powershell
SharpBlock
Process Injection Tools

 
Click to expand...
Back
Top