00. Resources
https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/
Check defense
https://github.com/gatariee/gocheck
Maldev modules
| Module Number | Module Name | EDR Bypass Technique | Notes |
|---|---|---|---|
| 20 | Evading Microsoft Defender Static Analysis | Encryption to bypass static analysis | XOR, RC4, AES |
| 65 | Syscalls - SysWhispers | Using SysWhispers to evade EDR API hooks | |
| 66 | Syscalls - Hell's Gate | Direct syscalls to bypass userland hooks | |
| 67 | Syscalls - Reimplementing Classic Injection | Performing injection without WinAPI | |
| 68 | Syscalls - Reimplementing Mapping Injection | Evading detection by mapping memory | |
| 69 | Syscalls - Reimplementing APC Injection | Direct syscall-based APC injection | |
| 82 | Introduction To EDRs | General understanding of EDR detection methods | |
| 83 | NTDLL Unhooking - Introduction | Introduction to unhooking NTDLL to evade EDR | |
| 84 | NTDLL Unhooking - From Disk | Replacing in-memory NTDLL with a clean version | |
| 85 | NTDLL Unhooking - From KnownDlls Directory | Using KnownDlls directory for unhooking | |
| 86 | NTDLL Unhooking - From a Suspended Process | Extracting clean NTDLL from a suspended process | |
| 87 | NTDLL Unhooking - From a Web Server | Loading NTDLL from an external source | |
| 88 | Updating Hell's Gate | Improving syscall retrieval for stealth | |
| 89 | Indirect Syscalls - HellsHall | Using indirect syscalls to bypass EDR | |
| 90 | Block DLL Policy | Blocking non-Microsoft DLLs for stealth | |
| 92 | Exploiting EDRs For Evasion | Finding vulnerabilities in EDR logic | |
| 93 | Exploiting EDRs For Evasion - Preventing EDR Actions | Preventing EDR from deleting payloads | |
| 94 | Exploiting EDRs For Evasion - EDR LOLBINS | Using EDR-signed binaries to evade detection | |
| 95 | Exploiting EDRs For Evasion - Internal Exclusion List | Exploiting internal EDR exclusions for stealth | |
| 96 | Patchless Threadless Injection Via Hardware BreakPoints | Evasive shellcode execution using hardware breakpoints | |
| 97 | Tampered Syscalls Via Hardware BreakPoints | Manipulating syscall arguments for EDR evasion | |
| 98 | Process Hypnosis | New injection technique using debug events | |
| 99 | Sleep Obfuscation Techniques | Evading memory scanning using sleep obfuscation | |
| 100 | Introduction to Ekko and Zilean Sleep Obfuscation | Using Ekko/Zilean techniques to obfuscate execution | |
| 101 | Introduction to Foliage Sleep Obfuscation | Another memory evasion technique | |
| 102 | Implementing Ekko With Stack Spoofing | Spoofing stack for memory stealth | |
| 103 | Heap Encryption With Ekko Sleep Obfuscation | Encrypting heap memory to evade scanning | |
| 104 | Library Proxy Loading | Using callback-based DLL loading to hide execution | |
| 105 | Evading Microsoft Defender Via Patching | Modifying Defender’s scanning behavior | |
| 106 | .NET Assemblies - Patching System.Environment.Exit | Modifying .NET APIs to prevent execution termination | |
| 107 | KnownDll Cache Poisoning Injection | Using KnownDll poisoning for stealth injection |