Template-Driven AV/EDR Evasion Framework
-
Updated
Nov 3, 2023 - Assembly
Template-Driven AV/EDR Evasion Framework
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
Automated DLL Sideloading Tool With EDR Evasion Capabilities
Materials for the workshop "Red Team Ops: Havoc 101"
indirect syscalls for AV/EDR evasion in Go assembly
Multilayered AV/EDR Evasion Framework
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
"AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS
Use hardware breakpoints to spoof the call stack for both syscalls and API calls
A C2 framework for initial access in Go
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Small PoC of using a Microsoft signed executable as a lolbin.
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
Evade EDR's the simple way, by not touching any of the API's they hook.
silence file system monitoring components by hooking their minifilters
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
Add a description, image, and links to the edr-bypass topic page so that developers can more easily learn about it.
To associate your repository with the edr-bypass topic, visit your repo's landing page and select "manage topics."