edr-evasion

There are 9 repositories under edr-evasion topic.

• BestEdrOfTheMarket

  Xacone / BestEdrOfTheMarket

  EDR Lab for Experimentation Purposes

  edrdefense-evasionedr-evasionedr-testingkernel-developmentkernel-driver
  Language:C++ 1341

• klezVirus / SilentMoonwalk

  PoC Implementation of a fully dynamic call stack spoofer

  av-evasionedr-evasionthread-stackstack-spoofing
  Language:C++ 830
• DEFCON-31-Syscalls-Workshop

  VirtualAlllocEx / DEFCON-31-Syscalls-Workshop

  Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

  antivirus-bypassantivirus-evasionedr-bypassedr-evasionmalware-developmentwindows-internalsdirect-syscallsindirect-syscallsmalware-analysismalware-development-guideworkshopshellcode-loadersyscallsshellcode
  Language:C 695

• Accenture / Codecepticon

  .NET/PowerShell/VBA Offensive Security Obfuscator

  antivirus-evasioncsharpedr-evasionobfuscationpowershellvbaaccenture-security
  Language:C# 489

• pard0p / CallstackSpoofingPOC

  C++ self-Injecting dropper based on various EDR evasion techniques.

  av-evasiondropperedr-evasionindirect-syscall
  Language:C 369
• hades

  f1zm0 / hades

  Go shellcode loader that combines multiple evasion techniques

  av-evasionedr-evasiongolangpentestingred-teamingntapintdllsyscallsevasionadversary-emulationoffensive-security
  Language:Go 363

• Kudaes / EPI

  Threadless Process Injection through entry point hijacking

  edr-evasionhackingredteamrustwindows
  Language:Rust 343

• Kudaes / Unwinder

  Call stack spoofing for Rust

  edr-evasionhacking-toolrust
  Language:Rust 331

• f1zm0 / acheron

  indirect syscalls for AV/EDR evasion in Go assembly

  adversary-emulationassemblyav-evasionedr-bypassedr-evasionevasiongogolangmalware-researchoffensive-securityred-teamred-teaming
  Language:Assembly 324

• naksyn / PythonMemoryModule

  pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory

  edr-evasionevasionhackingmemory-modulememorymodulepythonredteamredteam-toolsredteamingrunpe
  Language:Python 313

• Kudaes / Split

  Apply a divide and conquer approach to bypass EDRs

  edr-evasionforkrustwindows
  Language:Rust 278

• VirtualAlllocEx / Payload-Download-Cradles

  This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.

  antivirus-evasionbypass-antivirusbypass-edredr-evasionpayload
  Language:PowerShell 257

• naksyn / DojoLoader

  Generic PE loader for fast prototyping evasion techniques

  cobalt-strikeedr-evasionevasionpe-loaderred-team-toolsred-teamingsleep-obfuscation
  Language:C 229

• VirtualAlllocEx / Direct-Syscalls-vs-Indirect-Syscalls

  The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasionindirect-syscallsshellcode-loaderwindows-int
  Language:C 208

• VirtualAlllocEx / Direct-Syscalls-A-journey-from-high-to-low

  Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 141

• voidvxvt / HellBunny

  Malleable shellcode loader written in C and Assembly utilizing direct or indirect syscalls for evading EDR hooks

  direct-syscallsedr-evasionindirect-syscallsmaldevmalware-developmentmsvcnative-apintapiwindowsiat-camouflagepayload-encryptionprocess-injectionedr-bypassapi-hashingdlldll-sideloadingshellcode-injectionshellcode-loader
  Language:C 121

• x42en / sysplant

  Your syscall factory

  code-generationhacking-toolsyscall-hookingsyscallswindowsedr-evasionoffensive-security
  Language:Nim 121

• naksyn / Embedder

  Embedder is a collection of sources in different languages to embed Python interpreter with minimal dependencies

  edr-evasionembeddingpyramidredteaming
  Language:C++ 118

• Offensive-Panda / DefenseEvasionTechniques

  This comprehensive and central repository is designed for cybersecurity enthusiasts, researchers, and professionals seeking to stay ahead in the field. It provides a valuable resource for those dedicated to improving their skills in malware development, malware research, offensive security, security defenses and measures.

  cyber-threat-intelligenceedr-evasionmalware-developmentmalware-researchoffensivesecurity
  Language:C++ 117

• CroodSolutions / AutoPwnKey

  AutoPwnKey is a red teaming framework and testing tool using AutoHotKey (AHK), which at the time of creation proves to be quite evasive. It is our hope that this tool will be useful to red teams over the short term, while over the long term help AV/EDR vendors improve how they handle AHK scripts.

  ahkahk-scriptattack-simulationav-bypassav-evasionedr-bypassedr-evasionevasion-techniquesexploit-codeexploit-developmentexploitation-frameworkpurple-teampurpleteam
  Language:AutoHotkey 107

• oldboy21 / SyscallMeMaybe

  Implementation of Indirect Syscall technique to pop a calc.exe

  cplusplusedr-evasionsecurity-toolssyscalls
  Language:C++ 101

• oldkingcone / BYOSI

  Evade EDR's the simple way, by not touching any of the API's they hook.

  edr-bypassedr-evasionphppowershellredteam
  Language:PHP 93

• VirtualAlllocEx / Taskschedule-Persistence-Download-Cradles

  Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged

  antivirus-evasionbypass-antivirusbypass-edredr-evasionpayload
  Language:HTML 87

• iamagarre / BadExclusionsNWBO

  BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR

  edr-evasionpentestingredteamhacking
  Language:C++ 75

• 0xflux / Rust-Hells-Gate

  Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust

  edr-bypassedr-evasionmalwaremalware-researchpentestpentest-toolpentestingredteamredteam-toolsredteamingrustrust-langhellsgateoffensive-securityhells-gateantivirus-bypassantivirus-evasionbypass-antivirusbypass-edr
  Language:Rust 64

• itaymigdal / PichichiH0ll0wer

  Nim process hollowing loader

  loaderpe-loaderpenetration-testingpenetration-testing-toolsprocess-hollowingprocess-injectionred-teamred-team-toolssyscallspayload-generatorrunpepayload-injectoredr-bypassedr-evasion
  Language:Nim 57

• VirtualAlllocEx / DSC_SVC_REMOTE

  This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

  av-bypassav-evasiondirect-syscallsedr-bypassedr-evasion
  Language:C 54

• WafflesExploits / CobaltStrike-YARA-Bypass-f0b627fc

  Repository of scripts from my blog post on bypassing the YARA rule Windows_Trojan_CobaltStrike_f0b627fc by generating alternative shellcode sequences.

  automatizationcobalt-strikeedr-bypassedr-evasionpythonyara-rules
  Language:Python 37

• k3lpi3b4nsh33 / BlindEdr

  A Blind EDR Project for Educational Purposes

  driveredr-bypassedr-evasionmalware
  Language:C 30

• 0xflux / ETW-Bypass-Rust

  Event Tracing for Windows EDR bypass in Rust (usermode)

  edredr-bypassedr-evasionethical-hackingethical-hacking-toolsetwetw-bypassetw-evasionhackingmalwaremalware-researchpentestpentest-toolpentestingred-teamredteamredteam-toolsredteamingrust
  Language:Rust 28

• EvilBytecode / Ntdll-Unhook

  Unhook Ntdll.dll, Go & C++.

  avedr-bypassedr-evasionevasionfudntdll-unhooking
  Language:C++ 21

• iamagarre / BadExclusions

  BadExclusions is a tool to identify folder custom or undocumented exclusions on AV/EDR

  antivirus-evasionedr-evasionpentestingredteamhacking
  Language:C 20

• EvilBytecode / Nyx-Full-Dll-Unhook

  (EDR) Dll Unhooking = kernel32.dll, kernelbase.dll, ntdll.dll, user32.dll, apphelp.dll, msvcrt.dll.

  avav-evasiondll-unhookingedr-evasionevasionfud
  Language:Go 19

• VirtualAlllocEx / Create_Thread_Inline_Assembly_x86

  This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly

  av-bypassav-evasionedr-bypassedr-evasioninline-assembly
  Language:C++ 19

• x0reaxeax / SilentWrite

  PoC arbitrary WPM without a process handle

  detection-evasionedr-evasionpopcalcredteamremote-writeshellcodeshellcode-executewindowswpmx86-64av-evasionedr-bypassinjectionshellcode-injectionshellcode-injector
  Language:C 19

• melotic / nanostorm

  An (WIP) EDR Evasion tool for x64 Windows & Linux binaries that utilizes Nanomites, written in Rust.

  edr-bypassedr-evasionobfuscationrust
  Language:Rust 18