albertzsigovits · October 11, 2023 18:51
diff --git a/edr-bypass.txt b/edr-bypass.txt
 List:
    Disabling Event Tracing for Windows (ETW)
    Shellcode encryption
    Reducing entropy
    Escaping the (local) AV sandbox
    Import table obfuscation
    Disabling AMSI
    Evading common malicious API call patterns
    Direct system calls and evading “mark of the syscall”
    Removing hooks in ntdll.dll
    Spoofing the thread call stack
    In-memory encryption of beacon
    Memory Scanning Evasion
    Custom Reflective loader
    OpSec configurations in C2 Malleable profile
    Using a Custom Packer
    Custom Obfuscation
    Tampering EDR Services
    Tampering EDR telemetry
    Tampering Syscalls
    shellcode hidden within realistic datatypes
    compile-time strings obfuscation 
    AV Driver Abuse
    Function Stomping
    Spoofing call stacks to confuse EDRs
    Reflective DLL injection to evade EDR

 AV/EDR bypass mindmap:

    https://github.com/CMEPW/BypassAV

 PPLKiller:

    https://github.com/Mattiwatti/PPLKiller

 PPLMedic:

    https://github.com/itm4n/PPLmedic
    
    Disabling Event Tracing for Windows (ETW)

          Introduction:

         https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 

          List of well known tools:

          1. https://github.com/Hagrid29/RemotePatcher

          2. https://github.com/D1rkMtr/ExecRemoteAssembly 

          3. Disable ETW in .NET:

              ENV Variable COMPlus_ETWEnabled=0:

               [HKCU | HKLM]\Software\Microsoft\.NETFramework with Property ETWEnabled set to 0

               POC Code - https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503 

          Detection Notes:

          https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
	List:
	Disabling Event Tracing for Windows (ETW)
	Shellcode encryption
	Reducing entropy
	Escaping the (local) AV sandbox
	Import table obfuscation
	Disabling AMSI
	Evading common malicious API call patterns
	Direct system calls and evading “mark of the syscall”
	Removing hooks in ntdll.dll
	Spoofing the thread call stack
	In-memory encryption of beacon
	Memory Scanning Evasion
	Custom Reflective loader
	OpSec configurations in C2 Malleable profile
	Using a Custom Packer
	Custom Obfuscation
	Tampering EDR Services
	Tampering EDR telemetry
	Tampering Syscalls
	shellcode hidden within realistic datatypes
	compile-time strings obfuscation
	AV Driver Abuse
	Function Stomping
	Spoofing call stacks to confuse EDRs
	Reflective DLL injection to evade EDR

	AV/EDR bypass mindmap:

	https://github.com/CMEPW/BypassAV

	PPLKiller:

	https://github.com/Mattiwatti/PPLKiller

	PPLMedic:

	https://github.com/itm4n/PPLmedic

	Disabling Event Tracing for Windows (ETW)

	Introduction:

	https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

	List of well known tools:

	1. https://github.com/Hagrid29/RemotePatcher

	2. https://github.com/D1rkMtr/ExecRemoteAssembly

	3. Disable ETW in .NET:

	ENV Variable COMPlus_ETWEnabled=0:

	[HKCU \| HKLM]\Software\Microsoft\.NETFramework with Property ETWEnabled set to 0

	POC Code - https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503

	Detection Notes:

	https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3