EDR bypass technology is not just for attackers. Many malware now have EDR bypass capabilities, knowledge that pentesters and incident responders should also be aware of.
This repository is not intended to be used to escalate attacks. Use it for ethical hacking.
PoC
- trickster0/TartarusGate: TartarusGate, Bypassing EDRs
- am0nsec/HellsGate: Original C Implementation of the Hell’s Gate VX Technique
- The paper PDF has a nice summary of EDR Bypass techniques.
- Maldev-Academy/HellHall: Performing Indirect Clean Syscalls
- A technique called HellsGate, which specifies a system call number through a value in memory, combined with a technique to call a system call by specifying an address in NTDLL where the syscall instruction is implemented, without calling the syscall instruction.
- TheD1rkMtr/UnhookingPatch: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
- RedTeamOperations/Journey-to-McAfee
- op7ic/EDR-Testing-Script: Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads
- zer0condition/mhydeath: Abusing mhyprotect to kill AVs / EDRs / XDRs / Protected Processes.
- Demo to force quit Crowdstrike Falcon and Microsoft Defender
- Mr-Un1k0d3r/RedTeamCCode: Red Team C code repo
- BYOSI: Bypass EDR by bringing your own script interpreter
- Polydrop: Expanded BYOSI attack, leverages 12 additional languages.
- senzee1984/EDRPrison: Leverage a legitimate WFP callout driver to prevent EDR agents from sending telemetry
Tool
- tanc7/EXOCET-AV-Evasion: EXOCET – AV-evading, undetectable, payload delivery tool
- naksyn/Pyramid: a tool to help operate in EDRs’ blind spots
- Yaxser/Backstab: A tool to kill antimalware protected processes
- klezVirus/inceptor: Template-Driven AV/EDR Evasion Framework
- georgesotiriadis/Chimera: Automated DLL Sideloading Tool With EDR Evasion Capabilities
- netero1010/EDRSilencer: A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
- wavestone-cdt/EDRSandblast
- myzxcg/RealBlindingEDR: Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback…
Workshop
More of a malware development workshop for pentesters than a workshop to Bypass EDR.
- chvancooten/maldev-for-dummies: A workshop about Malware Development
- BC-SECURITY/Beginners-Guide-to-Obfuscation
- chr0n1k/AH2021Workshop: Malware development for red teaming workshop
- WesleyWong420/RedTeamOps-Havoc-101: Materials for the workshop “Red Team Ops: Havoc 101”
For more information click here.