Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
-
Updated
Apr 9, 2022 - Python
Artificially inflate a given binary to exceed common EDR file size limits. Can be used to bypass common EDR.
A C2 framework for initial access in Go
Slides and POC demo for my talk at Divizion Zero on EDR evasion titled "Evasion Adventures"
Carbon Crypter / Packer
Small PoC of using a Microsoft signed executable as a lolbin.
This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
frida based script which automates the process of discovering and exploiting DLL Hijacks in target binaries. The discovered binaries can later be weaponized during Red Team Operations to evade AV/EDR's.
Shellcode execution via x86 inline assembly based on MSVC syntax
Indirect Syscall invocation via thread hijacking
Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
NTAPI hook bypass with (semi) legit stack trace
This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
indirect syscalls for AV/EDR evasion in Go assembly
PoC arbitrary WPM without a process handle
Red Teaming Tactics and Techniques
Repository to publish your evasion techniques and contribute to the project
Template-Driven AV/EDR Evasion Framework
Add a description, image, and links to the edr-bypass topic page so that developers can more easily learn about it.
To associate your repository with the edr-bypass topic, visit your repo's landing page and select "manage topics."