There are 9 repositories under edr-bypass topic.
Awesome EDR Bypass Resources For Ethical Hacking
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
Automated DLL Sideloading Tool With EDR Evasion Capabilities
Materials for the workshop "Red Team Ops: Havoc 101"
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
Use hardware breakpoints to spoof the call stack for both syscalls and API calls
Small PoC of using a Microsoft signed executable as a lolbin.
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
"AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.
Nim process hollowing loader
silence file system monitoring components by hooking their minifilters
PowerJoker is a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.
Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"
PoC arbitrary WPM without a process handle
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
Shellcode execution via x86 inline assembly based on MSVC syntax
NTAPI hook bypass with (semi) legit stack trace
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
Evade EDR's the simple way, by not touching any of the API's they hook.
Red Teaming Tactics and Techniques
Kraken Crypter v5 (Native/Turbo)
Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.
Carbon Crypter / Packer
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
Repository to publish your evasion techniques and contribute to the project
Mostly malicious or abusable powershell I've written