Awesome EDR Bypass　

🛡️ Awesome EDR Bypass Resources For Ethical Hacking ⚔️

PoC

• trickster0/TartarusGate: TartarusGate, Bypassing EDRs
• am0nsec/HellsGate: Original C Implementation of the Hell's Gate VX Technique
  • The paper PDF has a nice summary of EDR Bypass techniques.
• Maldev-Academy/HellHall: Performing Indirect Clean Syscalls
  • A technique called HellsGate, which specifies a system call number through a value in memory, combined with a technique to call a system call by specifying an address in NTDLL where the syscall instruction is implemented, without calling the syscall instruction.
• TheD1rkMtr/UnhookingPatch: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
• RedTeamOperations/Journey-to-McAfee
• op7ic/EDR-Testing-Script: Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads

Tool

• tanc7/EXOCET-AV-Evasion: EXOCET - AV-evading, undetectable, payload delivery tool
• naksyn/Pyramid: a tool to help operate in EDRs' blind spots
• Yaxser/Backstab: A tool to kill antimalware protected processes
• klezVirus/inceptor: Template-Driven AV/EDR Evasion Framework

Workshop

More of a malware development workshop for pentesters than a workshop to Bypass EDR.

• chvancooten/maldev-for-dummies: A workshop about Malware Development
• BC-SECURITY/Beginners-Guide-to-Obfuscation
• chr0n1k/AH2021Workshop: Malware development for red teaming workshop
• WesleyWong420/RedTeamOps-Havoc-101: Materials for the workshop "Red Team Ops: Havoc 101"

Presentation

• Lifting the veil, a look at MDE under the hood - FIRST CONFERENCE 2022
• Dirty Vanity: A New Approach to Code Injection & EDR Bypass - Black Hat Europe 2022
• talks/Diego Capriotti - DEFCON30 Adversary Village - Python vs Modern Defenses.pdf
• Develop Your Own Rat

Blog

• Living-Off-the-Blindspot - Operating into EDRs’ blindspot | Naksyn’s blog
  • Type of person who works hard in Python; uses PEP 578 – Python Runtime Audit Hooks.
• Bypass CrowdStrike Falcon EDR protection against process dump like lsass.exe | by bilal al-qurneh | Medium
  • The story is that a forensic tool can be used to dump memory without detection. This is an example of how a tool for legitimate purposes that is not an attack tool can be used in an attack without being detected.
• State-of-the-art EDRs are not perfect, fail to detect common attacks - The Record from Recorded Future News
  • Commentary on An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors
• A tale of EDR bypass methods | S3cur3Th1sSh1t
• In-Memory Execution in macOS: the Old and the New | Meta Red Team X
  • macOS!!!!

Other awesome series

• MrEmpy/Awesome-AV-EDR-XDR-Bypass: Awesome AV/EDR/XDR Bypass Tips