edr-bypass

There are 14 repositories under edr-bypass topic.

• inceptor

  klezVirus / inceptor

  Template-Driven AV/EDR Evasion Framework

  obfuscationpinvokedinvokecode-injectionprocess-injectionav-bypassamsi-bypassav-evasionedr-bypasspe-packeramsi-evasionred-teamred-teamingav-edr-bypasspayload-generator
  Language:Assembly 1723

• tkmru / awesome-edr-bypass

  Awesome EDR Bypass Resources For Ethical Hacking

  awesome-listsedredr-bypassredteamredteaming
  1284

• thomasxm / BOAZ_beta

  Multilayered AV/EDR Evasion Framework

  boazcode-injectionobfuscationav-bypassav-edr-bypassav-evasionedr-bypassetw-bypasspayload-generatorpe-packerprocess-injectionred-teamingred-teaming-toolsred-reamantivirus-evasion
  Language:C++ 800

• NUL0x4C / AtomPePacker

  A Highly capable Pe Packer

  edr-bypasspackerpe
  Language:C 697
• DEFCON-31-Syscalls-Workshop

  VirtualAlllocEx / DEFCON-31-Syscalls-Workshop

  Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

  antivirus-bypassantivirus-evasionedr-bypassedr-evasionmalware-developmentwindows-internalsdirect-syscallsindirect-syscallsmalware-analysismalware-development-guideworkshopshellcode-loadersyscallsshellcode
  Language:C 695
• Chimera

  georgesotiriadis / Chimera

  Automated DLL Sideloading Tool With EDR Evasion Capabilities

  assemblycppdll-sideloadingedr-bypassoffensive-securitypython3
  Language:Python 470

• WesleyWong420 / RedTeamOps-Havoc-101

  Materials for the workshop "Red Team Ops: Havoc 101"

  active-directoryav-evasionedr-bypassopsecprocess-injectionred-team-opshavoc
  Language:C# 386

• f1zm0 / acheron

  indirect syscalls for AV/EDR evasion in Go assembly

  evasionadversary-emulationav-evasionedr-bypassedr-evasionmalware-researchoffensive-securityred-teamred-teamingassemblygogolang
  Language:Assembly 337

• Offensive-Panda / RWX_MEMEORY_HUNT_AND_INJECTION_DV

  Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.

  avbypassedr-bypassfudmalware-developmentshellcode
  Language:C++ 282

• V-i-x-x / AMSI-BYPASS

  "AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS

  0dayamsi-bypassamsi-evasionamsi-patchavavbypassedr-bypassvulnerabilitypentestpentestingmalware
  Language:PowerShell 270

• VirtualAlllocEx / Create-Thread-Shellcode-Fetcher

  This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.

  antivirus-evasionbypass-antivirusedr-bypassmsfvenomshellcode-injectionshellcode-loader
  Language:C++ 253

• VirtualAlllocEx / Direct-Syscalls-vs-Indirect-Syscalls

  The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasionindirect-syscallsshellcode-loaderwindows-int
  Language:C 208

• fortra / hw-call-stack

  Use hardware breakpoints to spoof the call stack for both syscalls and API calls

  edr-bypassstack-spoofingsyscalls
  Language:C 197

• dobin / antnium

  A C2 framework for initial access in Go

  c2edr-bypassinitial-accessratremote-access
  Language:Go 194

• V-i-x-x / kernel-callback-removal

  kernel callback removal (Bypassing EDR Detections)

  edredr-bypassedr-evasionkernel
  Language:C++ 189

• oldkingcone / BYOSI

  Evade EDR's the simple way, by not touching any of the API's they hook.

  edr-bypassedr-evasionphppowershellredteam
  Language:PHP 154

• VirtualAlllocEx / Direct-Syscalls-A-journey-from-high-to-low

  Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 141
• lolbin-poc

  mrexodia / lolbin-poc

  Small PoC of using a Microsoft signed executable as a lolbin.

  edr-bypassmalwarepocredteamredteam-toolsredteamingwindbgwindbg-extension
  Language:C++ 136

• voidvxvt / HellBunny

  Malleable shellcode loader written in C and Assembly utilizing direct or indirect syscalls for evading EDR hooks

  direct-syscallsedr-evasionindirect-syscallsmaldevmalware-developmentmsvcnative-apintapiwindowsiat-camouflagepayload-encryptionprocess-injectionedr-bypassapi-hashingdlldll-sideloadingshellcode-injectionshellcode-loader
  Language:C 121

• njcve / inflate.py

  Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.

  antivirusantivirus-evasionav-bypassav-evasionbugbountyedr-bypassendpoint-securityevasion-attack
  Language:Python 120

• CroodSolutions / AutoPwnKey

  AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.

  ahkahk-scriptattack-simulationav-bypassav-evasionedr-bypassedr-evasionevasion-techniquesexploit-codeexploit-developmentexploitation-frameworkpurple-teampurpleteam
  Language:AutoHotkey 107

• 0xflux / Rust-Hells-Gate

  Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust

  edr-bypassedr-evasionmalwaremalware-researchpentestpentest-toolpentestingredteamredteam-toolsredteamingrustrust-langhellsgateoffensive-securityhells-gateantivirus-bypassantivirus-evasionbypass-antivirusbypass-edr
  Language:Rust 64

• itaymigdal / PichichiH0ll0wer

  Nim process hollowing loader

  loaderpe-loaderpenetration-testingpenetration-testing-toolsprocess-hollowingprocess-injectionred-teamred-team-toolssyscallspayload-generatorrunpepayload-injectoredr-bypassedr-evasion
  Language:Nim 59

• 0mWindyBug / MinifilterHook

  silence file system monitoring components by hooking their minifilters

  driveredr-bypasshookingkernelminifilterwindows
  Language:C 56

• VirtualAlllocEx / DSC_SVC_REMOTE

  This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 54
• SideloadFinder

  roadwy / SideloadFinder

  frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.

  bypass-antivirusbypass-edrdll-hijackingdll-sideloadingedr-bypassredteam
  Language:Python 51
• PowerJoker

  Adkali / PowerJoker

  PowerJoker is a Python program which generate a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.

  edr-bypassevadeexecutiongithublinuxmethodsobfuscationoffensive-securitypython3reverse-shellwindows-10windows-11executejokerobfuscate-stringspowerpowershellpython-reverse-shellwindows-reverse-shellpowershell-reverse-shell
  Language:Python 50

• coleak2021 / hidedump

  Hidedump:a lsassdump tools that may bypass EDR

  clsass-dumpwindowsbypass-avedr-bypass
  Language:C 50

• Chainski / PandaLoader

  A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal console builder.

  bypass-antivirusedr-bypassetw-bypassetw-evasionevasionmalwareobfuscationpe-loaderpowershellshellcodeshellcode-encodershellcode-loaderxor-encryptionpersistencecrypterpayload-generatorredteam
  Language:C++ 42

• WafflesExploits / CobaltStrike-YARA-Bypass-f0b627fc

  Repository of scripts from my blog post on bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.

  automatizationcobalt-strikeedr-bypassedr-evasionpythonyara-rules
  Language:Python 37

• CodeXTF2 / evasion-adventures-files

  Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"

  edr-bypassfridahookingpentestingpocred-teamingunhooking
  Language:C++ 30

• k3lpi3b4nsh33 / BlindEdr

  A Blind EDR Project for Educational Purposes

  driveredr-bypassedr-evasionmalware
  Language:C 30

• 0xflux / ETW-Bypass-Rust

  Event Tracing for Windows EDR bypass in Rust (usermode)

  edredr-bypassedr-evasionethical-hackingethical-hacking-toolsetwetw-bypassetw-evasionhackingmalwaremalware-researchpentestpentest-toolpentestingred-teamredteamredteam-toolsredteamingrust
  Language:Rust 28

• EvilBytecode / Ntdll-Unhook

  Unhook Ntdll.dll, Go & C++.

  avedr-bypassedr-evasionevasionfudntdll-unhooking
  Language:C++ 21

• VirtualAlllocEx / Create_Thread_Inline_Assembly_x86

  This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly

  av-bypassav-evasionedr-bypassedr-evasioninline-assembly
  Language:C++ 19

• x0reaxeax / SilentWrite

  PoC arbitrary WPM without a process handle

  detection-evasionedr-evasionpopcalcredteamremote-writeshellcodeshellcode-executewindowswpmx86-64av-evasionedr-bypassinjectionshellcode-injectionshellcode-injector
  Language:C 19