Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

Awesome EDR Evasion

🛡️ EDR Evasion Techniques

🔹 Syscall Evasion

  • Direct Syscalls: Calling syscalls directly to avoid API hooks.
  • Indirect Syscalls: Using techniques like "Hell's Gate" or "Halo's Gate" to resolve and execute syscalls dynamically.
  • Recycled Gate: Reusing a legitimate syscall from a different process.
  • Tartarus Gate: A novel method of syscall obfuscation.
  • Syswhispers2/Syswhispers3: Generating undetectable syscalls.

🔗 Hell's and Halo's Gate 🔗 Recycled Gate 🔗 Tartarus Gate 🔗 SysWhispers

🔹 API Unhooking

  • Unhooking NTDLL: Restoring the original NTDLL memory region.
  • Syscall Stubbing: Using alternative API calls to bypass hooks.
  • Patch Unhooking: Overwriting memory regions to remove hooks.
  • Manually Mapping DLLs: Loading clean DLLs into memory.
  • Heavens Gate: Transitioning between 32-bit and 64-bit code to bypass hooks.
  • Hookchain

🔗 Unhooking Patch 🔗 Windows API for Red Team 🔗 Direct Syscalls & Unhooking
🔗 Hookchain

🔹 Injection Techniques

  • APC Queue Injection
  • AddressOfEntryPoint Code Injection
  • Classic Code Injection (API Obfuscation)
  • Classic Code Injection (Local)
  • Classic Code Injection (Remote)
  • Classic Code Injection (Remote with VirtualProtect)
  • Classic DLL Injection
  • Early Bird Code Injection
  • Injection Through Fiber
  • Module Stomping
  • Mokingjay Injection
  • NTAPI Injection
  • NtCreateSection & MapViewOfSection Injection
  • PEB Walk API Obfuscation Injection
  • PEB Walk Injection
  • PE Code Injection
  • Process Ghosting
  • Process Hollowing
  • RWX Hunting Injection
  • Reflective DLL Injection
  • Reflective DLL Loading (Lagos Island)
  • Remote Thread Hijacking
  • Direct Syscalls Injection
  • Indirect Syscalls Injection

🔗 EDR Bypass Methods 🔗 Native .NET Code Injection

🔹 Sandbox & VM Evasion

  • Checking CPU Cores: Many sandboxes run on a single core.
  • Timing Attacks: Delaying execution to avoid automated analysis.
  • User Interaction Checks: Requiring mouse movement or keystrokes.
  • Environment Artifacts: Checking registry, MAC addresses, or system variables.
  • Hardware Fingerprinting: Identifying VM artifacts like disk serial numbers.
  • Hypervisor Detection: Using CPUID and other instructions.
  • Instruction Counting: Detecting instruction execution anomalies in VMs.
  • Stealth Sleep: Avoiding modified sleep functions used in analysis.

🔗 al-khaser Anti-VM Toolkit

🔹 LOLBins & LOLDrivers

  • Living Off The Land Binaries (LOLBins): Using trusted Windows executables for malicious purposes.
  • BYOVD (Bring Your Own Vulnerable Driver): Exploiting signed vulnerable drivers to disable security products.
  • Abusing Windows Defender & Other Security Services: Using native features against the system.

🔗 EDR Bypass with LOLBins
🔗 Loldrivers
🔗 BYOVD Kill EDR

🔹 AMSI Bypass

  • AMSI Patch: Overwriting AMSI.dll functions in memory.
  • AMSI Unhooking: Removing hooks in AMSI functions.
  • AMSI Reflection: Using reflection in PowerShell to disable AMSI.
  • AMSI Argument Spoofing: Modifying arguments to bypass scanning.
  • Environment Variable Poisoning: Exploiting environment variables to disable AMSI.

🔗 AMSI Bypass Techniques
🔗 AMSI Bypass via Reflection

🔹 LSASS Dumping & Credential Theft

  • Mimikatz: Extracting credentials from LSASS.
  • MiniDumpWriteDump: Dumping LSASS memory.
  • NTDLS Cloning: Bypassing credential protection by cloning LSASS.
  • Direct Syscalls for LSASS Dump: Avoiding API calls monitored by EDR.
  • Token Impersonation: Using stolen tokens for privilege escalation.

🔗 Mimikatz
🔗 SharpDump

🔹 Protected Process Light (PPL) Bypass

  • Using Vulnerable Drivers: Modifying process privileges.
  • Token Manipulation: Using stolen tokens to disable PPL.
  • Memory Patching: Modifying system memory to remove PPL protection.

🔗 PPLdump
🔗 SharpPPL

🛠️ Tools for Evasion

📜 Articles & Resources

关于 About

No description, website, or topics provided.

语言 Languages

C96.2%
Assembly3.8%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
3
Total Commits
峰值: 2次/周
Less
More

核心贡献者 Contributors