EDR Evasion: Stranger Things In A Payload

Sans white-paper

#EDR , #EDR_evasion

New PoolParty Process Injection Techniques Outsmart Top EDR Solutions
thehackernews.com/2023/12/ne…

#EDR , #process_injection

[ EDRSilencer ]

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

EDR list:

Microsoft Defender for Endpoint and Microsoft Defender Antivirus
"MsMpEng.exe",
"MsSense.exe",
Elastic EDR
"elastic-agent.exe",
"elastic-endpoint.exe",
"filebeat.exe",
Trellix EDR
"xagt.exe"

https://github.com/netero1010/EDRSilencer

#EDR

@islemolecule_source

MutationGate is a new approach to bypass EDR's inline hooking by utilizing hardware breakpoint to redirect the syscall.

https://github.com/senzee1984/MutationGate

#malware_dev
#edr
----
@islemolecule_source

Payload creation framework to around EDR bypass.

Link

#edr
--------
@islemolecule_source

An Introduction to Bypassing User Mode EDR Hooks .

malwaretech.com/2023/12/an-i…


#EDR , #red_team #windows_internls
———
@islemolecule_source

Introduction to Bypassing Hooks EDR

Link

#edr

A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass
Link

#edr
#malware_dev

------
@islemolecule_source

How your EDR actually works

https://twitter.com/i/broadcasts/1dRKZErXPQbxB?s=20

#edr
------
@islemolecule_source

Blinding EDR On Windows
https://synzack.github.io/Blinding-EDR-On-Windows/

#edr

A universal EDR bypass built in Windows 10

While studying internals of a mechanism used by all EDR software to get information about processes activities on Windows, we came across a way for malicious processes to disable the generation of some security events related to process interactions. This technique could be used to evade EDR software while performing malicious operations such as process memory dumping, code injection or process hollowing.

https://www.riskinsight-wavestone.com/en/2023/10/a-universal-edr-bypass-built-in-windows-10/

#EDR , #windows_internals