There are 6 repositories under edr-evasion topic.
Little AV/EDR evasion lab for training & learning purposes
PoC Implementation of a fully dynamic call stack spoofer
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
.NET/PowerShell/VBA Offensive Security Obfuscator
pure-python implementation of MemoryModule technique to load dll and unmanaged exe entirely from memory
C++ self-Injecting dropper based on various EDR evasion techniques.
This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
Implementation of Indirect Syscall technique to pop a calc.exe
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
Nim process hollowing loader
BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
PoC arbitrary WPM without a process handle
BadExclusions is a tool to identify folder custom or undocumented exclusions on AV/EDR
Shellcode execution via x86 inline assembly based on MSVC syntax
Unhook DLL via cleaning the DLL 's .text section
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
Overwrite ntdll.dll's ".text" section to bypass API hooking. Getting the clean dll from disk, Knowndlls folder, a debugged process or a URL
Red Teaming Tactics and Techniques
Custom binary file packer/encoder with integrated decoder stub. A pentest-tool for modern EDR evasion.
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
Repository to publish your evasion techniques and contribute to the project
Mostly malicious or abusable powershell I've written