edr-bypass

There are 9 repositories under edr-bypass topic.

• inceptor

  klezVirus / inceptor

  Template-Driven AV/EDR Evasion Framework

  obfuscationpinvokedinvokecode-injectionprocess-injectionav-bypassamsi-bypassav-evasionedr-bypasspe-packeramsi-evasionred-teamred-teamingav-edr-bypasspayload-generator
  Language:Assembly 1502

• tkmru / awesome-edr-bypass

  Awesome EDR Bypass Resources For Ethical Hacking

  awesome-listsedredr-bypass
  790

• NUL0x4C / AtomPePacker

  A Highly capable Pe Packer

  edr-bypasspackerpe
  Language:C 667
• DEFCON-31-Syscalls-Workshop

  VirtualAlllocEx / DEFCON-31-Syscalls-Workshop

  Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

  antivirus-bypassantivirus-evasionedr-bypassedr-evasionmalware-developmentwindows-internalsdirect-syscallsindirect-syscallsmalware-analysismalware-development-guideworkshopshellcode-loadersyscallsshellcode
  Language:C 559
• Chimera

  georgesotiriadis / Chimera

  Automated DLL Sideloading Tool With EDR Evasion Capabilities

  assemblycppdll-sideloadingedr-bypassoffensive-securitypython3
  Language:Python 438

• WesleyWong420 / RedTeamOps-Havoc-101

  Materials for the workshop "Red Team Ops: Havoc 101"

  active-directoryav-evasionedr-bypassopsecprocess-injectionred-team-opshavoc
  Language:C# 301

• f1zm0 / acheron

  indirect syscalls for AV/EDR evasion in Go assembly

  evasionadversary-emulationav-evasionedr-bypassedr-evasionmalware-researchoffensive-securityred-teamred-teamingassemblygogolang
  Language:Assembly 289

• VirtualAlllocEx / Create-Thread-Shellcode-Fetcher

  This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.

  shellcode-loadershellcode-injectionantivirus-evasionedr-bypassmsfvenombypass-antivirus
  Language:C++ 244

• fortra / hw-call-stack

  Use hardware breakpoints to spoof the call stack for both syscalls and API calls

  edr-bypassstack-spoofingsyscalls
  Language:C 169

• dobin / antnium

  A C2 framework for initial access in Go

  c2edr-bypassinitial-accessratremote-access
  Language:Go 154
• lolbin-poc

  mrexodia / lolbin-poc

  Small PoC of using a Microsoft signed executable as a lolbin.

  edr-bypassmalwarepocredteamredteam-toolsredteamingwindbgwindbg-extension
  Language:C++ 128

• VirtualAlllocEx / Direct-Syscalls-vs-Indirect-Syscalls

  The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasionindirect-syscallsshellcode-loaderwindows-int
  Language:C 124

• VirtualAlllocEx / Direct-Syscalls-A-journey-from-high-to-low

  Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 119

• njcve / inflate.py

  Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.

  antivirusantivirus-evasionav-bypassav-evasionbugbountyedr-bypassendpoint-securityevasion-attack
  Language:Python 115

• V-i-x-x / AMSI-BYPASS

  "AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS

  0dayamsi-bypassamsi-evasionamsi-patchavavbypassedr-bypassvulnerabilitypentestpentestingmalware
  Language:PowerShell 108

• VirtualAlllocEx / DSC_SVC_REMOTE

  This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 47
• SideloadFinder

  roadwy / SideloadFinder

  frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.

  bypass-antivirusbypass-edrdll-hijackingredteamdll-sideloadingedr-bypass
  Language:Python 45

• itaymigdal / PichichiH0ll0wer

  Nim process hollowing loader

  edr-bypassedr-evasionloaderpayload-generatorpayload-injectorpe-loaderpenetration-testingpenetration-testing-toolsprocess-hollowingprocess-injectionred-teamred-team-toolsrunpesyscalls
  Language:Nim 43

• 0mWindyBug / MinifilterHook

  silence file system monitoring components by hooking their minifilters

  driveredr-bypasshookingkernelminifilterwindows
  Language:C 34
• PowerJoker

  Adkali / PowerJoker

  PowerJoker is a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.

  edr-bypassevadeexecutiongithublinuxmethodsobfuscationoffensive-securitypython3reverse-shellwindows-10windows-11executejokerobfuscate-stringspowerpowershellpython-reverse-shellwindows-reverse-shellpowershell-reverse-shell
  Language:Python 27

• CodeXTF2 / evasion-adventures-files

  Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"

  edr-bypasshookingfridaunhookingred-teamingpentestingpoc
  Language:C++ 21

• x0reaxeax / SilentWrite

  PoC arbitrary WPM without a process handle

  detection-evasionedr-evasionpopcalcredteamremote-writeshellcodeshellcode-executewindowswpmx86-64av-evasionedr-bypassinjectionshellcode-injectionshellcode-injector
  Language:C 16

• VirtualAlllocEx / Create_Thread_Inline_Assembly_x86

  This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly

  av-bypassav-evasionedr-bypassedr-evasioninline-assembly
  Language:C++ 15

• melotic / nanostorm

  An (WIP) EDR Evasion tool for x64 Windows & Linux binaries that utilizes Nanomites, written in Rust.

  edr-bypassedr-evasionobfuscationrust
  Language:Rust 13

• VirtualAlllocEx / Shell-we-Assembly

  Shellcode execution via x86 inline assembly based on MSVC syntax

  av-bypassav-evasionedr-bypassedr-evasioninline-assemblywindows-internals
  Language:C++ 12

• x0reaxeax / SysCook64

  Indirect Syscall invocation via thread hijacking

  edr-bypassedr-evasionhook-bypassindirect-syscallthread-contextdetection-evasionredteam
  Language:C 12

• x0reaxeax / SyscallHookBypass

  NTAPI hook bypass with (semi) legit stack trace

  antihookingav-bypassav-evasionedr-bypasswindowshook-bypassx86indirect-syscalldetection-evasionredteam
  Language:C 10

• VirtualAlllocEx / Create_Thread-Inline_Assembly_x86_Fibers

  This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers

  av-bypassav-evasionedr-bypassedr-evasioninline-assembly
  Language:C++ 6

• oldkingcone / BYOSI

  Evade EDR's the simple way, by not touching any of the API's they hook.

  aedr-bypassedr-evasionisthingthiswhy
  Language:PHP 5

• nuts7 / RedTeaming-Tactics-and-Techniques

  Red Teaming Tactics and Techniques

  antivirusantivirus-bypassantivirus-evasioncheatsheetedredr-bypassedr-evasionevasionredteam
  Language:PowerShell 4

• asciistring / Kraken-Crypter-v5-Native-Turbo-

  Kraken Crypter v5 (Native/Turbo)

  bypass-antivirusedr-bypassfud-bypassfud-crypterfud-crypter-2023fud-crypter-2024fully-undetectableruntime-analysisbypass-defenderbypass-windows-defendershellcode-injectionsilent-exploitsilent-exploit-pdf
  2

• Hanbry / Custom-PE-Packer

  Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.

  binary-loadersedr-bypassedr-evasionpacker
  Language:C 2

• carboncryptt / CarbonCrypt

  Carbon Crypter / Packer

  bypass-avbackdoorbypass-antiviruscrypterdownloadedr-bypassfudpackerremote-executionremoteshellrunpestealerstealer-fudstealer-undetectedtoken-grabbertrojanundectedundetectablewindows
  1

• nuts7 / EDRSandblast

  EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

  antivirusantivirus-bypassantivirus-evasionedredr-bypassedr-evasionevasion
  Language:C 1

• nuts7 / Unprotect_Submission

  Repository to publish your evasion techniques and contribute to the project

  antivirusantivirus-bypassantivirus-evasionedredr-bypassedr-evasionevasionredteam
  Language:C++ 1

• SnipSnapp / Random-Powershell

  Mostly malicious or abusable powershell I've written

  edr-bypassedr-evasionevasion-attackspowershell-scriptwindowswinntadministrative-privileges
  Language:PowerShell 1