Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md
Awesome EDR Evasion
🛡️ EDR Evasion Techniques
🔹 Syscall Evasion
- Direct Syscalls: Calling syscalls directly to avoid API hooks.
- Indirect Syscalls: Using techniques like "Hell's Gate" or "Halo's Gate" to resolve and execute syscalls dynamically.
- Recycled Gate: Reusing a legitimate syscall from a different process.
- Tartarus Gate: A novel method of syscall obfuscation.
- Syswhispers2/Syswhispers3: Generating undetectable syscalls.
🔗 Hell's and Halo's Gate 🔗 Recycled Gate 🔗 Tartarus Gate 🔗 SysWhispers
🔹 API Unhooking
- Unhooking NTDLL: Restoring the original NTDLL memory region.
- Syscall Stubbing: Using alternative API calls to bypass hooks.
- Patch Unhooking: Overwriting memory regions to remove hooks.
- Manually Mapping DLLs: Loading clean DLLs into memory.
- Heavens Gate: Transitioning between 32-bit and 64-bit code to bypass hooks.
- Hookchain
🔗 Unhooking Patch
🔗 Windows API for Red Team
🔗 Direct Syscalls & Unhooking
🔗 Hookchain
🔹 Injection Techniques
- APC Queue Injection
- AddressOfEntryPoint Code Injection
- Classic Code Injection (API Obfuscation)
- Classic Code Injection (Local)
- Classic Code Injection (Remote)
- Classic Code Injection (Remote with VirtualProtect)
- Classic DLL Injection
- Early Bird Code Injection
- Injection Through Fiber
- Module Stomping
- Mokingjay Injection
- NTAPI Injection
- NtCreateSection & MapViewOfSection Injection
- PEB Walk API Obfuscation Injection
- PEB Walk Injection
- PE Code Injection
- Process Ghosting
- Process Hollowing
- RWX Hunting Injection
- Reflective DLL Injection
- Reflective DLL Loading (Lagos Island)
- Remote Thread Hijacking
- Direct Syscalls Injection
- Indirect Syscalls Injection
🔗 EDR Bypass Methods 🔗 Native .NET Code Injection
🔹 Sandbox & VM Evasion
- Checking CPU Cores: Many sandboxes run on a single core.
- Timing Attacks: Delaying execution to avoid automated analysis.
- User Interaction Checks: Requiring mouse movement or keystrokes.
- Environment Artifacts: Checking registry, MAC addresses, or system variables.
- Hardware Fingerprinting: Identifying VM artifacts like disk serial numbers.
- Hypervisor Detection: Using CPUID and other instructions.
- Instruction Counting: Detecting instruction execution anomalies in VMs.
- Stealth Sleep: Avoiding modified sleep functions used in analysis.
🔹 LOLBins & LOLDrivers
- Living Off The Land Binaries (LOLBins): Using trusted Windows executables for malicious purposes.
- BYOVD (Bring Your Own Vulnerable Driver): Exploiting signed vulnerable drivers to disable security products.
- Abusing Windows Defender & Other Security Services: Using native features against the system.
🔗 EDR Bypass with LOLBins
🔗 Loldrivers
🔗 BYOVD Kill EDR
🔹 AMSI Bypass
- AMSI Patch: Overwriting AMSI.dll functions in memory.
- AMSI Unhooking: Removing hooks in AMSI functions.
- AMSI Reflection: Using reflection in PowerShell to disable AMSI.
- AMSI Argument Spoofing: Modifying arguments to bypass scanning.
- Environment Variable Poisoning: Exploiting environment variables to disable AMSI.
🔗 AMSI Bypass Techniques
🔗 AMSI Bypass via Reflection
🔹 LSASS Dumping & Credential Theft
- Mimikatz: Extracting credentials from LSASS.
- MiniDumpWriteDump: Dumping LSASS memory.
- NTDLS Cloning: Bypassing credential protection by cloning LSASS.
- Direct Syscalls for LSASS Dump: Avoiding API calls monitored by EDR.
- Token Impersonation: Using stolen tokens for privilege escalation.
🔹 Protected Process Light (PPL) Bypass
- Using Vulnerable Drivers: Modifying process privileges.
- Token Manipulation: Using stolen tokens to disable PPL.
- Memory Patching: Modifying system memory to remove PPL protection.
🛠️ Tools for Evasion
- Veil Evasion Framework
- Avet Project
- Avlator
- Shellcode Templates
- Mortar Evasion
- AtomPePacker
- Phantom Evasion
- PEObfuscator
- AMSI Bypass Powershell
- SharpBlock
- Process Injection Tools