edr-bypass

There are 15 repositories under edr-bypass topic.

• inceptor

  klezVirus / inceptor

  Template-Driven AV/EDR Evasion Framework

  obfuscationpinvokedinvokecode-injectionprocess-injectionav-bypassamsi-bypassav-evasionedr-bypasspe-packeramsi-evasionred-teamred-teamingav-edr-bypasspayload-generator
  Language:Assembly 1744

• tkmru / awesome-edr-bypass

  Awesome EDR Bypass Resources For Ethical Hacking

  awesome-listsedredr-bypassredteamredteaming
  1332

• thomasxm / BOAZ_beta

  Multilayered AV/EDR Evasion Framework

  antivirus-evasionav-bypassav-edr-bypassav-evasionboazcode-injectionedr-bypassetw-bypassobfuscationpayload-generatorpe-packerprocess-injectionred-reamred-teamingred-teaming-tools
  Language:C++ 845
• DEFCON-31-Syscalls-Workshop

  VirtualAlllocEx / DEFCON-31-Syscalls-Workshop

  Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

  antivirus-bypassantivirus-evasionedr-bypassedr-evasionmalware-developmentwindows-internalsdirect-syscallsindirect-syscallsmalware-analysismalware-development-guideworkshopshellcode-loadersyscallsshellcode
  Language:C 718
• Chimera

  georgesotiriadis / Chimera

  Automated DLL Sideloading Tool With EDR Evasion Capabilities

  assemblycppdll-sideloadingedr-bypassoffensive-securitypython3
  Language:Python 492

• WesleyWong420 / RedTeamOps-Havoc-101

  Materials for the workshop "Red Team Ops: Havoc 101"

  active-directoryav-evasionedr-bypassopsecprocess-injectionred-team-opshavoc
  Language:C# 387

• f1zm0 / acheron

  indirect syscalls for AV/EDR evasion in Go assembly

  evasionadversary-emulationav-evasionedr-bypassedr-evasionmalware-researchoffensive-securityred-teamred-teamingassemblygogolang
  Language:Assembly 339

• V-i-x-x / AMSI-WRITE-RAID-BYPASS

  "AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS

  0dayamsi-bypassamsi-evasionamsi-patchavavbypassedr-bypassvulnerabilitypentestpentestingmalware
  Language:PowerShell 309

• Offensive-Panda / RWX_MEMEORY_HUNT_AND_INJECTION_DV

  Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.

  avbypassedr-bypassfudmalware-developmentshellcode
  Language:C++ 287

• VirtualAlllocEx / Create-Thread-Shellcode-Fetcher

  This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.

  shellcode-loadershellcode-injectionantivirus-evasionedr-bypassmsfvenombypass-antivirus
  Language:C++ 257

• VirtualAlllocEx / Direct-Syscalls-vs-Indirect-Syscalls

  The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasionindirect-syscallsshellcode-loaderwindows-int
  Language:C 214

• fortra / hw-call-stack

  Use hardware breakpoints to spoof the call stack for both syscalls and API calls

  edr-bypassstack-spoofingsyscalls
  Language:C 197

• V-i-x-x / kernel-callback-removal

  kernel callback removal (Bypassing EDR Detections)

  edredr-bypassedr-evasionkernel
  Language:C++ 197

• dobin / antnium

  A C2 framework for initial access in Go

  c2edr-bypassinitial-accessratremote-access
  Language:Go 193

• j3h4ck / WatchDogKiller

  PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.

  av-bypassav-evasionbyovdedredr-bypassedr-evasion
  Language:C++ 172

• oldkingcone / BYOSI

  Evade EDR's the simple way, by not touching any of the API's they hook.

  edr-bypassedr-evasionphppowershellredteam
  Language:PHP 162

• VirtualAlllocEx / Direct-Syscalls-A-journey-from-high-to-low

  Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 143
• lolbin-poc

  mrexodia / lolbin-poc

  Small PoC of using a Microsoft signed executable as a lolbin.

  edr-bypassmalwarepocredteamredteam-toolsredteamingwindbgwindbg-extension
  Language:C++ 139

• voidvxvt / HellBunny

  Malleable shellcode loader written in C and Assembly utilizing direct or indirect syscalls for evading EDR hooks

  api-hashingdirect-syscallsdlldll-sideloadingedr-bypassedr-evasioniat-camouflageindirect-syscallsmaldevmalware-developmentmsvcnative-apintapipayload-encryptionprocess-injectionshellcode-injectionshellcode-loaderwindows
  Language:C 129

• njcve / inflate.py

  Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.

  antivirusantivirus-evasionav-bypassav-evasionbugbountyedr-bypassendpoint-securityevasion-attack
  Language:Python 120

• CroodSolutions / AutoPwnKey

  AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.

  ahkahk-scriptattack-simulationav-bypassav-evasionedr-bypassedr-evasionevasion-techniquesexploit-codeexploit-developmentexploitation-frameworkpurple-teampurpleteam
  Language:AutoHotkey 108

• CroodSolutions / BeaconatorC2

  BeaconatorC2 is a framework for red teaming and adversarial emulation, providing a full-featured management interface, along with a catalog of beacons and a clear schema to add more beacons over time.

  adversarial-attacksc2command-and-controlcredential-dumpingdll-unhookingedr-bypassedr-evasionmetasploit-installpentest-toolpurple-teamingred-team-tools
  Language:Python 85

• Chainski / PandaLoader

  A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal builder.

  bypass-antivirusedr-bypassetw-bypassetw-evasionevasionmalwareobfuscationpe-loaderpowershellshellcodeshellcode-encodershellcode-loaderxor-encryptionpersistencecrypterpayload-generatorredteam
  Language:C++ 77

• 0xflux / Rust-Hells-Gate

  Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust

  edr-bypassedr-evasionmalwaremalware-researchpentestpentest-toolpentestingredteamredteam-toolsredteamingrustrust-langhellsgateoffensive-securityhells-gateantivirus-bypassantivirus-evasionbypass-antivirusbypass-edr
  Language:Rust 68
• PowerJoker

  Adkali / PowerJoker

  PowerJoker is a Python program which generate a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.

  edr-bypassevadeexecutiongithublinuxmethodsobfuscationoffensive-securitypython3reverse-shellwindows-10windows-11executejokerobfuscate-stringspowerpowershellpython-reverse-shellwindows-reverse-shellpowershell-reverse-shell
  Language:Python 65

• itaymigdal / PichichiH0ll0wer

  Nim process hollowing loader

  edr-bypassedr-evasionloaderpayload-generatorpayload-injectorpe-loaderpenetration-testingpenetration-testing-toolsprocess-hollowingprocess-injectionred-teamred-team-toolsrunpesyscalls
  Language:Nim 60

• 0mWindyBug / MinifilterHook

  silence file system monitoring components by hooking their minifilters

  driveredr-bypasshookingkernelminifilterwindows
  Language:C 59

• NanoWraith / BlindEdr

  A Blind EDR Project for Educational Purposes

  driveredr-bypassedr-evasionmalware
  Language:C 58

• VirtualAlllocEx / DSC_SVC_REMOTE

  This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 55
• SideloadFinder

  roadwy / SideloadFinder

  frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.

  bypass-antivirusbypass-edrdll-hijackingdll-sideloadingedr-bypassredteam
  Language:Python 52

• coleak2021 / hidedump

  Hidedump:a lsassdump tools that may bypass EDR

  clsass-dumpwindowsbypass-avedr-bypass
  Language:C 50

• andrecrafts / CobaltStrike-YARA-Bypass-f0b627fc

  Bypass YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.

  automatizationcobalt-strikeedr-bypassedr-evasionpythonyara-rules
  Language:Python 49

• micREsoft / SysCaller

  SysCaller: SDK for WindowsAPI via syscalls. Dynamic Resolution, Obfuscation, Multi-Language Bindings, & more!

  reverse-engineeringwindowsmasmntdllsyscallobfuscationredteamsecuritysyscalls
  Language:C 49

• EvilBytecode / Ntdll-Unhook

  Unhook Ntdll.dll, Go & C++.

  avedr-bypassedr-evasionevasionfudntdll-unhooking
  Language:C++ 31

• CodeXTF2 / evasion-adventures-files

  Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"

  edr-bypassfridahookingpentestingpocred-teamingunhooking
  Language:C++ 30

• 0xflux / ETW-Bypass-Rust

  Event Tracing for Windows EDR bypass in Rust (usermode)

  edredr-bypassedr-evasionethical-hackingethical-hacking-toolsetwetw-bypassetw-evasionhackingmalwaremalware-researchpentestpentest-toolpentestingred-teamredteamredteam-toolsredteamingrust
  Language:Rust 27