Awesome EDR Bypass　

🛡️ Awesome EDR Bypass Resources For Ethical Hacking ⚔️

EDR bypass technology is not just for attackers. Many malware now have EDR bypass capabilities, knowledge that pentesters and incident responders should also be aware of. This repository is not intended to be used to escalate attacks. Use it for ethical hacking.

PoC

• trickster0/TartarusGate: TartarusGate, Bypassing EDRs
• am0nsec/HellsGate: Original C Implementation of the Hell's Gate VX Technique
  • The paper PDF has a nice summary of EDR Bypass techniques.
• Maldev-Academy/HellHall: Performing Indirect Clean Syscalls
  • A technique called HellsGate, which specifies a system call number through a value in memory, combined with a technique to call a system call by specifying an address in NTDLL where the syscall instruction is implemented, without calling the syscall instruction.
• TheD1rkMtr/UnhookingPatch: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
• RedTeamOperations/Journey-to-McAfee
• op7ic/EDR-Testing-Script: Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads
• zer0condition/mhydeath: Abusing mhyprotect to kill AVs / EDRs / XDRs / Protected Processes.
  • Demo to force quit Crowdstrike Falcon and Microsoft　Defender

Tool

• tanc7/EXOCET-AV-Evasion: EXOCET - AV-evading, undetectable, payload delivery tool
• naksyn/Pyramid: a tool to help operate in EDRs' blind spots
• Yaxser/Backstab: A tool to kill antimalware protected processes
• klezVirus/inceptor: Template-Driven AV/EDR Evasion Framework
• georgesotiriadis/Chimera: Automated DLL Sideloading Tool With EDR Evasion Capabilities

Workshop

More of a malware development workshop for pentesters than a workshop to Bypass EDR.

• chvancooten/maldev-for-dummies: A workshop about Malware Development
• BC-SECURITY/Beginners-Guide-to-Obfuscation
• chr0n1k/AH2021Workshop: Malware development for red teaming workshop
• WesleyWong420/RedTeamOps-Havoc-101: Materials for the workshop "Red Team Ops: Havoc 101"

Presentation

• Lifting the veil, a look at MDE under the hood - FIRST CONFERENCE 2022
• Dirty Vanity: A New Approach to Code Injection & EDR Bypass - Black Hat Europe 2022
• talks/Diego Capriotti - DEFCON30 Adversary Village - Python vs Modern Defenses.pdf
• Develop Your Own Rat
• EDR Evasion Primer for Red Teamers - Karsten Nohl & Jorge Gimenez - Hack in the Box 2022 Singapore

Blog

• Living-Off-the-Blindspot - Operating into EDRs’ blindspot | Naksyn’s blog
  • Type of person who works hard in Python; uses PEP 578 – Python Runtime Audit Hooks.
• Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe | by bilal al-qurneh | Medium
  • The story is that a forensic tool can be used to dump memory without detection. This is an example of how a tool for legitimate purposes that is not an attack tool can be used in an attack without being detected.
• State-of-the-art EDRs are not perfect, fail to detect common attacks - The Record from Recorded Future News
  • Commentary on An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors
• A tale of EDR bypass methods | S3cur3Th1sSh1t
• In-Memory Execution in macOS: the Old and the New | Meta Red Team X
  • macOS!!!!
• Blindside: A New Technique for EDR Evasion with Hardware Breakpoints - Cymulate
• Attacking an EDR - Part 1
• Attacking an EDR - Part 2

Book

• Evading EDR | No Starch Press

Other awesome series

• MrEmpy/Awesome-AV-EDR-XDR-Bypass: Awesome AV/EDR/XDR Bypass Tips