Disabling telemetry at the source — patching, hooking, and structural corruption
AMSI
AmsiScanBuffer Memory Patching
RUNTIME PATCH // AMSI.DLL
Use WriteProcessMemory instead of VirtualProtect — silently modifies permissions without triggering EDR hooks on VirtualProtect
Avoid 0xC3 (RET) opcode in patches — Defender scans for premature RET in AmsiScanBuffer. Use POP RAX; JMP RAX or short jump backwards to existing RET in prior function
Elastic rules defense_evasion_amsi_bypass_via_unbacked_memory and defense_evasion_amsi_or_wldp_bypass_via_memory_patching target VirtualProtect calls to amsi.dll
Patch further down the function prologue (not offset +0x00) to avoid DR register validation
AMSI
Reflection & CLR-Level Bypass
MANAGED CODE // .NET REFLECTION
Null-AMSI — .NET Reflection to disable AMSI and ETW; confirmed effective against CrowdStrike in field engagements
Stracciatella — reflectively disables AMSI from inside AppDomain before loading assemblies
CLR.DLL patching — modify CLR's internal AMSI integration instead of patching amsi.dll directly. On plain Defender, obfuscation needed; on MDE, obfuscation must be skipped (MDE triggers on obfuscation, not the bypass)
--control-dotnet-runtime (ShellcodePack v2.7.4+): Loads .NET assemblies WITHOUT triggering AMSI at all — prevents AmsiScanBuffer from even being called. No patching, no hooking. Also patches ETW in v2.7.5
Custom CLR hosting — manually initialize CLR with AMSI disabled, bypassing need for any runtime patching
ConfuserEx for assembly obfuscation to avoid triggering AMSI signatures entirely — still effective against Defender EDR
AMSI
Structural & Data-Only Bypasses
NO CODE PATCHING REQUIRED
HAMSICONTEXT corruption — corrupt the context structure to make AmsiScanBuffer return early without scanning. Data-only, no code modification
IActiveScript pointer zeroing — zero pointer at offset 0x3c8 in modified wscript process. AMSI never called
Custom amsi.dll preloading — load a benign amsi.dll before the real one; still works
LdrLoadDll hook — hook LdrLoadDll and deny amsi.dll from loading entirely, preventing initialization
HWBP on NtTraceEvent / EtwEventWrite — hardware breakpoints intercept and suppress ETW telemetry
EtwTiLogSetContextThread — fires when SetThreadContext called; this is how SentinelOne detects HWBP usage
Same C3 avoidance applies to EtwEventWrite patching — use alternative instruction sequences
ETW-Ti does not capture all telemetry (e.g., not 100% of WriteProcessMemory calls). EDR migration from hooks to ETW-Ti is incomplete
SentinelOne bypass: S1 hooks RtlAddVectoredExceptionHandler. Call with arg 0 (append) instead of >0 (insert front). Clear existing VEH first with ClearVeh.c, then add own handler
ETWAMSI
Hardware Breakpoints Without SetThreadContext
EXCEPTION-BASED // NO SUSPICIOUS API CALLS
Set Stage1 VEH for EXCEPTION_BREAKPOINT, Stage2 VEH for telemetry suppression (HWBP on ETW/AMSI)
Call DebugBreak() or trigger any exception (divide by zero, access violation)
Stage1 modifies DR0-DR3 and DR7 in exception context — no SetThreadContext call needed
Hook BaseThreadInitThunk to catch new threads and set HWBP on all of them for thread safety
For single-threaded C2 implants, thread safety not required
02 — Syscall Techniques & Unhooking
Bypassing userland hooks through direct kernel interaction and SSN resolution
SYSCALL
Indirect Vectored Syscalls
RUNTIME_FUNCTION + VEH REDIRECT
Combine RUNTIME_FUNCTION-based SSN computation (walking PEB InLoadOrderModuleList backwards to avoid fake injected NTDLLs) with VEH access violation handler
Handler redirects execution to legitimate syscall instruction within ntdll — preserves call stack integrity
Nighthawk approach: uses TEB members (ReservedForDebuggerInstrumentation at 0x110, LastErrorValue at 0x68) for syscall storage. Detected by Elastic YARA rule
Jump to syscall instruction in ntdll rather than placing own syscall in suspicious module .text
Kernel grabs return address of syscall — must spoof return address to appear within ntdll
SYSCALL
SSN Resolution Methods
SYSTEM SERVICE NUMBER EXTRACTION
FreshyCalls — gather/sort/search Zw functions by RVA in EAT; pioneered incremental index approach
modexp (preferred) — extract syscall RVAs from Exception Directory (Runtime Function table) or Guard CF table. Harder for EDRs to tamper without breaking dependent structures
Avoid HellsGate/HalosGate-style opcode scanning — extracting SSNs by disassembling raw memory is error-prone and suboptimal
TartarusGate: when target syscall is hooked, check neighboring syscalls (±1) and calculate SSN by offset. Extends HellsGate to work against partial hooking
HellsHall: search ntdll for syscall;ret instruction sequences (0x0F05, 0xC3) to find indirect syscall targets. Jumps to random legitimate syscall instruction within ntdll address space
EDRs inject fake/bogus NTDLL images. If EAT is hooked, SSN computation crashes. Walk InMemoryOrderList backwards, use OriginalBase field, case-sensitive name comparison
SysWhispers2/3 sorting Zw functions by RVA acknowledged as effective
SYSCALLUNHOOK
Userland Unhooking Strategies
RESTORING CLEAN API STUBS
UnhookMe — universal API resolver and unhooker with guard page manipulation for safe unhooking
patchwerk BOF — finds all Nt* syscall stubs in ntdll and overwrites with clean stubs
Fresh NTDLL from disk — map clean copy from disk. Caveat: some EDRs use minifilter drivers to intercept reads and return hooked version
From KnownDlls — open \KnownDlls\ntdll.dll section object via NtOpenSection + NtMapViewOfSection. Bypasses minifilter interception on file reads
From suspended process — spawn sacrificial process suspended, read its clean ntdll via ReadProcessMemory, overwrite own hooked copy. Process never executes
From web server — download version-matched clean ntdll.dll from Microsoft Symbol Server or Winbindex. No local file access needed, bypasses all local interception
Guard page removal: EDRs place PAGE_GUARD around hooks. Remove selectively, then re-apply to avoid detection. Some products continuously re-apply
MDE does not use userland hooks but still behaves differently for Win32 vs direct syscalls — something beyond hooks is still bypassed
SYSCALLSTACK
Call Stack Spoofing
SYNTHETIC FRAMES // ROP GADGETS
Synthetic frames: ntdll!RtlUserThreadStart+0x21 and kernel32!BaseThreadInitThunk+0x14
HWBP-based: manually craft full callstack, set HWBP on last fake RET address, restore original stack on return
ROP gadget: jmp QWORD PTR [rbx] from kernel32, call r12 from ntdll (qsort+offset)
HSB (hunt-sleeping-beacons) checks for JMP [register] gadgets — bypass by finding gadgets with no-op instructions before them
Spoof stacks on SetThreadContext, WinHTTP/WinINet calls, and any call with ETW full stack trace
Tools: LoudSunRun, CallStackSpoofer, Draugr BOF
SYSCALLEVASION
Advanced Syscall Resolution Variants
NULLGATE // HELLSHAZZARD // EBYTE-SYSCALLS
NullGate — indirect syscall technique that uses null byte termination tricks to resolve SSNs; avoids common EDR detection patterns for syscall resolution
Hellshazzard — hybrid syscall resolution combining HellsGate-style runtime resolution with additional obfuscation layers; harder to signature than standard HellsGate
Ebyte-Syscalls — function call obfuscation via syscalls; wraps API calls in obfuscated syscall stubs to prevent import-based detection
03 — Shellcode Engineering & Loaders
Generation, encryption, encoding, and custom loader architectures
SHELLCODE
Shellcode Generation & Encoding
GENERATION PIPELINE
Donut — x86/x64 PIC from .NET/PE. Default 10KB loader heavily signatured. Key mods: replace xGetProcAddressByHash with function pointer indirection to break Trojan_Win64_Donut_C_MTB, remove aPLib depack.c (VT 11→2), use BYPASS_AMSI_C not default RWX, externalize loader bytes for per-build encoder randomization
sRDI — DLL→PIC shellcode. Bootstrap signatured by Elastic Windows_Shellcode_Rdi.yar — simple ASM mods break it. Confirmed vs Cortex and S1
SGN — polymorphic encoder (requires RWX, use -S flag). Deoptimizer for structural transformation
Prefer generating EXE/DLL from C2, then custom PE→shellcode via hardened Donut/sRDI harness
Use volatile function pointers to break PEB-walking signatures. LLM-assisted code mutation for compiler diversity
LexiCrypt — substitution cipher with randomly generated key for shellcode encryption
SHELLCODELOADER
Custom Shellcode Loaders
LOADER ARCHITECTURES
RustLuaLoader — embeds Lua runtime in Rust; Lua handles VirtualAlloc, decrypt, copy, VirtualProtect, CreateThread. Confirmed vs CrowdStrike
PSXecute — 32-bit MIPS I VM (PlayStation 1 emulator); executes without allocating executable memory
DojoLoader — generic PE loader for fast prototyping evasion techniques
Modular loader architecture: toggleable write/alloc/execute primitives, evasion modules, API resolvers, time delays, bloating, patched/patchless modes. Can compile hundreds of variants for testing
Shellcode storage via EncodePointer/DecodePointer — 8-byte segments encoded as Windows-protected pointers. Tested vs Cortex
LOADER
Position Independent Code (PIC) Development
UDRL // REFLECTIVE LOADERS
UDRL must be PIC — map sections, process relocations, resolve IAT without standard WinMain
EPIC — C-to-PIC toolkit. Modularity, minimal libc, dead function elimination, global R/W stack via CPU register trick
Crystal Palace — dedicated linker for position-independent DLL loaders
Advanced UDRL: intercept Heap/Stack/Virtual memory routines, proxy to NT counterparts via indirect syscalls, hook filesystem functions for virtual FS in memory
LLVM obfuscation applicable to PIC via obfuscator-llvm fork but challenging
LOADEREVASION
Bring Your Own Interpreter (BYOI)
INTERPRETER-BASED EVASION
Lua in Rust: interpreter handles scrutinized API calls, creating abstraction layer EDRs lack insight into
HuffLoader — Huffman encoding for shellcode obfuscation; compresses and encodes shellcode using Huffman trees; unique encoding per build; deobfuscation via custom Huffman decoder at runtime
PIClin — Position Independent Code compilation from C/Rust/Zig source; generates PIC directly from high-level languages without manual assembly
SnapLoader — shellcode injection into ntdll.dll memory space; leverages ntdll's trusted memory region to host shellcode, avoiding suspicious memory allocations
RogueLoader — user-land hook bypass loader; removes or avoids EDR hooks during payload loading; combines unhooking with custom loading sequence
04 — Process Injection Techniques
Cross-process code execution from threadless injection to early cascade
INJECTION
Early Cascade Injection
PRE-EDR DLL LOAD // PROCESS CREATION
Injects during Windows process creation, before EDR DLLs are loaded — effective against top-tier EDRs
Add LdrLoadDll suppression logic in bootstrapping shellcode to prevent EDR DLLs from loading entirely
Using DEBUG_PROCESS instead of CREATE_SUSPENDED loses EDR DLL clobbering but still provides injection without remote APC
Stub patching entrypoint of EDR DLL, dynamically resolving correct pointers across Windows versions
INJECTIONEVASION
Block Non-Microsoft DLL Policy
PREVENT EDR DLL INJECTION INTO CHILD PROCESSES
PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON prevents non-MS-signed DLLs from loading into spawned processes
EDR hooking DLLs are blocked from injecting — the process runs without userland hooks
Applied via UpdateProcThreadAttribute in the same attribute list used for PPID spoofing. Can be combined with PPID spoof in a single CreateProcess call
Also applicable to the current process at runtime via SetProcessMitigationPolicy
Commonly paired with Early Cascade injection for maximum EDR blindness
INJECTION
Threadless Injection
NO DIRECT EXECUTION IN REMOTE PROCESS
Build list of processes and their regularly-called APIs, then hook those APIs — not detected by any vendor as technique
Hook BaseThreadInitThunk to catch new threads and set HWBP on all of them
VEH injection: manipulate VEH linked list in .mrdata section directly, without WinAPIs
Must flip .mrdata from RO to RW and back, initialize certain ntdll pointers, handle SRW locks
ClearVeh.c — clears VEH handlers registered by EDRs
Thread Name-Calling — uses thread name as write primitive for Win10+ injection
T(ROP)H — DLL injection into remote thread using ROP chains without executable memory allocation
INJECTIONFIBER
Fiber Injection & Advanced Primitives
KERNEL-INVISIBLE // INSTRUMENTATION CALLBACKS
Fibers are invisible to kernel (implemented in user mode in kernel32.dll). No ETW-Ti telemetry. ImmoralFiber: PoisonFiber (remote enumeration + injection) and PhantomThread (callstack masking)
FireWalker (Trap Flag): set Trap Flag in EFLAGS for single-stepping. VEH handler intercepts at specific RIP without HWBP or hooks
Wow64PrepareForException: overwrite function pointer in ntdll .mrdata section to handle exceptions before VEH dispatch. Avoids AddVectoredExceptionHandler (monitored by S1)
Nirvana Hooks (Instrumentation Callbacks): set via NtSetInformationProcess. Kick in when returning from syscall. Can clear EDR PI hooks. Requires SeDebug/admin
Process Hollowing broken on Win11 24H2. Transacted Hollowing and Process Overwriting still viable for process impersonation
INJECTIONEVASION
Callback-Based Execution Primitives
THREAD-FREE SHELLCODE EXECUTION
Abuse Windows callback function pointers to execute shellcode without CreateThread or CreateRemoteThread
CreateTimerQueueTimer — set callback to shellcode address, fires on timer. WaitForSingleObject keeps process alive
EnumChildWindows(NULL, (WNDENUMPROC)pAddr, NULL) — enumerates all top-level windows, callback per window
EnumUILanguagesW((UILANGUAGE_ENUMPROCW)pAddr, MUI_LANGUAGE_NAME, 0) — language enumeration callback
Only useful for local execution — callbacks run in the calling process's address space
Avoids thread-creation API monitoring but memory backing the callback still has shellcode characteristics
INJECTIONSIDELOAD
DLL Sideloading & Hijacking
TRUSTED PROCESS ABUSE
Node.js native addon: export napi_register_module_v1, rename to .node, load via signed node.exe with require('./evil.node')
Godot Engine: GDScript OS.execute() with signed runtime + .pck file
DllShimmer — weaponize DLL hijacking easily, backdoor any function in any DLL
SCCM client DLL hijacking: CrowdStrike doesn't flag it. System DLL hijacking well-detected; application DLLs are blind spots
Must maintain unpublished hijacks — CrowdStrike Overwatch detects those from hijacklibs.net
INJECTIONCOM
COM Hijacking & AppDomain Injection
REGISTRY-BASED EXECUTION
COM hijacking used operationally vs CrowdStrike: macro sets up COM hijack via registry, DLL uploaded days later for deferred execution
High integrity uses HKLM; medium integrity uses HKCU. If proxying, both DLLs loaded
AppDomain Manager injection: copy .NET folder, update machine.config, set COMPLUS_INSTALLROOT, next .NET execution loads malicious AppDomain manager
VladimiRED — AppDomainManager technique for MDE bypass
AppDomain hijack via monitoringhost.exe.config — confirmed vs Cortex XDR
INJECTIONCOM
Cross-Session COM Injection
SESSION ISOLATION BYPASS
SessionHop — COM-based session hijacking injection; leverages COM objects to inject code across Windows sessions (Session 0 to interactive sessions)
Breaks session isolation for cross-session payload delivery — enables code execution from service context into user desktop sessions
Useful for privilege escalation scenarios where implant runs in Session 0 (services) but needs interactive session access
INJECTIONEVASION
Thread Pool & Anti-Memory-Scan Injection
POOLPARTY // VOIDGATE // DIVIDE & CONQUER
PoolParty / PoolPartyBof — injects via Windows thread pool work item insertion. Abuses the worker factory to execute shellcode when the thread pool processes the next work item — no CreateRemoteThread required
Voidgate — per-instruction decryption at execution time. Only one instruction is decrypted in memory at any moment — memory scanners never see the full shellcode payload
Divide and Conquer — splits shellcode across multiple process instances. Each process holds a fragment; coordination reconstructs full payload only during execution — defeats single-process memory scanning
Dirty Vanity — process forking injection. Uses RtlCreateProcessReflection to clone a process, then injects into the clone — inherits parent's token and security context without triggering new process creation callbacks
Caro-Kann — kernel memory scan avoidance. Allocates shellcode in regions that kernel-level memory scanners skip — evades CrowdStrike and other kernel callback-based detection
Primitive Injection — uses only PROCESS_CREATE_THREAD access right. Minimal process access rights required, reducing EDR suspicion from process handle operations
05 — Memory Evasion & Sleep Obfuscation
Evading in-memory scanners through encryption, stomping, and guard page manipulation
MEMORY
Sleep Obfuscation Techniques
IMPLANT MEMORY ENCRYPTION DURING SLEEP
KrakenMask — encrypts implant memory during sleep cycles
Custom CS Sleepmask + UDRL requires careful integration — BeaconUserData must be properly initialized or it silently falls back to vanilla
AceLDR hooks Sleep via IAT, redirects to custom PIC sleep using FOLIAGE where sleepmask code is itself masked during sleep
Encrypt C2 memory while executing inline-PE, BOF, or .NET payloads; decrypt at end. Small portion for IAT hooks must remain unencrypted
IAT hooking Sleep/SleepEx, switching to fiber thread during sleep so call stack looks clean
Remove hook during sleep so memory scanners don't see it; rehook before waking
MEMORY
Module Stomping & Overloading
LEGITIMATE MODULE MEMORY REUSE
Load PE on top of legitimate module for stealthier in-memory execution — avoids unbacked executable regions
Effective when stomping modules excluded from scanning (especially .NET JIT modules)
IOC: LDR_DATA_TABLE_ENTRY differences with DONT_RESOLVE_DLL_REFERENCES (EntryPoint=null)
Shared working set / shared original values as detection vectors. Remap real DLL during sleep fixes copy-on-write IOC but creates image load event IOC
Fork process + kill child restores shared working set. DontCallForThreads flag critical
No-Consolation BOF — runs unmanaged PEs inline with module overloading
MEMORY
Memory Allocation Evasion
SCANNER AVOIDANCE STRATEGIES
Avoid RWX: use RW then change to RX, or leverage existing RX regions
Squeeze code under 4096 bytes (below PAGE_SIZE) — ESET AMS skips sub-page allocations
Allocate 1 byte, get 4095 free; change permissions of 1 byte, get 4095 free
Instead of 12KB allocation, use 3 individual 4096-byte pages. Allocate/write backwards (high to low)
EDR deconditioning: hide shellcode in very large allocation, forces memory scanners to abandon telemetry
shellcode-plain-sight — hide shellcode within large memory region (inspired by Raspberry Robin)
DotnetNoVirtualProtectShellcodeLoader — RuntimeHelpers.PrepareMethod creates RWX without VirtualProtect
MEMORY
Always-On PE Encryption & Guard Pages
PAGE-LEVEL ENCRYPTION // VEH FLOW CONTROL
Nighthawk concept: only one page of implant unencrypted at runtime. PAGE_GUARD + VEH handler
Flow: catch guard exception → encrypt last page → decrypt current page → continue execution
VEH function approximately 20 lines of code
Chain execution across guard pages (~12KB of space per guard page)
Change RW+Guard to RW then RX to avoid memory allocation entirely
Remove PE headers after reflective loading to avoid in-memory PE detection — less than 10 lines of code
06 — EDR-Specific Evasion Profiles
Product-specific bypass research and operational findings
CROWDSTRIKE
CrowdStrike Falcon Evasion
FALCON SENSOR // OVERWATCH
Overwatch uses independent telemetry stream regardless of customer prevention/detection policy
Always test vs both Moderate and Aggressive profiles
SOCKS-proxied traffic flagged — process origin matters (notepad.exe via SOCKS is suspicious)
Shadow copy + drag-and-drop: copy-paste of SAM/SYSTEM flagged, drag-and-drop uses different API and bypasses
7-Zip PhysicalDrive0: browse \\.\PhysicalDrive0 to copy SAM/SYSTEM files — no alert (confirmed 2025)
LSASS dump to remote SMB/WebDAV not flagged (local disk is flagged)
Time manipulation: changing system clock causes events to disappear from console. Agent resyncs every ~15 min
Sandbox upload limit ~35MB: embed compressible content in PE resources section to inflate beyond cap (not append — appending has own signatures)
Limelighter — fake code signing bypassed CS ML detection on DLL
3-minute HTTP delay: CS heavily scrutinizes HTTP connections from new processes within first 3 minutes. Delay first C2 callback accordingly
Global entropy >5 triggers alerts. Use NOPs/inflation to reduce. CS checks global entropy, not per-section
DLLs over EXEs: DLLs not flagged by CS in testing. Unsigned EXEs compiled with Nim/Rust/C get ML-flagged. C# assemblies NOT flagged even unsigned
EP patches alone can bypass: For a 361KB exe, --ep-patch-1 --ep-patch-2 alone (without encoding shellcode) was sufficient
Unhooking triggers ML: Since recent CS updates, the userland unhooking function triggers ML. Adding printf statements cancels the detection
MDE
Microsoft Defender for Endpoint
DEFENDER // NETWORK PROTECTION
MDE does not use userland hooks but still differentiates Win32 vs direct syscalls
WDAC weaponization: deploy Application Control policies to block EDR driver DLLs. Krueger for remote EDR killing
Network Protection blocks "potential C2 connections" using threat intel and ML
With local admin, BYOVD is primary way to blind MDE. Alternatives: WDAC deploy, DNS sinkhole
MDE alerts when device is online but agent doesn't check in
Portable VMs (QEMU, WSL, VirtualBox) to evade host EDR — observed in ransomware groups
Windows Sandbox weaponized for Defender bypass (WSB configurations)
MDE uses ETWTi (kernel-level), not userland hooks — unhooking methods are NOT needed against MDE
Bring Your Own Installer technique: timed termination of agent update process bypasses S1
Clear existing VEH handlers first with ClearVeh.c, then add own handler without S1 re-registering
Fake DLL technique: S1 inserts fake ntd1l.dll and kern3l32.dll at beginning of InLoadOrderModuleList to catch shellcodes. Use --patch-dll-order to fix
SentinelBruh: Abuses S1's own VEH for vectored syscalls and local execution
4MB+ NOPs needed to defeat S1 ML detection on disk for large payloads
CORTEX
Palo Alto Cortex XDR Evasion
CORTEX AGENT // TRAPS
Executable name whitelisting: naming binary apache.exe (or ~50 other excluded filenames in registry) prevents Cortex from loading hooking DLLs entirely
Resource exhaustion: spike agent CPU/memory via GUI + junk data to named pipes, preventing event collection
AppDomain injection delivered via ZIP in Teams (LNK + hidden folders) confirmed working
EncodePointer shellcode storage technique tested successfully against Cortex
No userland hooks: Cortex relies on kernel-level monitoring — unhooking methods are unnecessary
Flags ETW patches: Standard ETW bypass triggers Cortex. Use --etw-disable-method=asm_ret_zero instead
Network connection from unbacked memory: spin up HTTP/SOCKS proxy in separate loader thread — EDR may not unravel callstack
Detection rules contain exclusions in not (process.executable : patterns that can be leveraged
VirtualProtect detection via kernel ETW-Ti PROTECTVM events — NtProtectVirtualMemory routes to same kernel sink. New rules for PAGE_GUARD and PAGE_NOACCESS changes on security DLLs
LatLoader project documents specific Elastic rule bypasses
Open-source rules: github.com/elastic/detection-rules — study published detection rules to understand and evade Elastic signatures
Memory scanning after 4 days caught Sliver sleep masking in field testing — long-term implants need robust sleep obfuscation
ESET
ESET Advanced Memory Scanner
AMS // KERNEL HIPS // VAD WALKING
AMS invoked at random intervals to scan module-mapped memory and dynamic allocations
Kernel HIPS module continuously walks process VADs and scrapes contents
RWX allocations immediately trigger AMS scanning
Allocations smaller than PAGE_SIZE (4096 bytes) are skipped by AMS
RX memory was completely skipped from delayed AMS
AMS designed to detect unpacked malware, code hooks, patches, and process hollowing
Memory scan trigger conditions: process start, hooked API function invocation, sensitive function called without proper kernel call stack
EDRs must balance detection vs performance — constrained by deployment on POS systems, ATMs, and low-resource endpoints
False positive cost is existential: a single FP on a critical business process can lose an enterprise customer
QEMU as evasion: EDR agents ignore QEMU-hosted processes entirely — observed weaponized by ransomware operators
Fork-based operations: forking a process does not fire process creation callbacks if no thread is created. DontCallForThreads flag suppresses thread notification
Understanding what EDRs cannot afford to scan is as valuable as understanding what they detect
07 — BYOVD & EDR Silencing
Kernel-level EDR neutralization through vulnerable drivers and policy abuse
BYOVD
Vulnerable Driver Exploitation
KERNEL R/W // DRIVER ABUSE
Drivers must be dropped to disk and loaded via HKLM\SYSTEM\CurrentControlSet\Services\
Microsoft blocklist uses authenticode signatures (not file hashes) for blocking
Sunder — rootkit modeled after Lazarus Group FudModule, works with most BYOVD exploits
BYOVD for LSASS: make attacker process PPL or remove PPL from LSASS
Resources: loldrivers.io, VirusTotal Enterprise for driver hunting
appid.sys (not a blocked driver) — BOF planned for LSASS dump despite PPL
SILENCING
EDR Silencing Techniques
WDAC // WFP // FIREWALL
WDAC abuse: deploy policies to block EDR driver DLLs from loading — works against most top-tier EDRs
Krueger — .NET tool for remotely killing EDR with WDAC
WFP (Windows Filtering Platform): port of EDRSilencer for EDRs that don't communicate from usermode
DNS/packet filter: block DNS resolutions to EDR console servers (e.g., SentinelOne)
Dedicated dump file overwrite: use crash control registry keys to overwrite EDR components (CrashDumpEnabled/DedicatedDumpFile)
Firewall-blocking EDR comms detectable by lack of telemetry — depends on environment maturity
Loading driver on early boot before EDR wakes up to bypass driver-load alerts
BYOVDEVASION
EDR Process Termination Tools
DRIVER-BASED PROCESS KILLING // FILE LOCKING
ColdWer — EDR process termination tool via vulnerable drivers; kills EDR processes using BYOVD exploitation
Fairy-Law — mass EDR process termination; leverages vulnerable drivers to terminate all EDR-related processes simultaneously
EDR-GhostLocker — locks EDR driver files preventing them from loading on reboot; combines process termination with file locking for persistent EDR blindness
ANTI-EDREVASION
Advanced Anti-EDR & Sleep Techniques
EDR-FREEZE // TRUESIGHTKILLER // GPU VRAM
EDR-Freeze — freezes EDR agent threads via NtSuspendThread enumeration. Suspends all threads belonging to EDR processes, blinding the agent without terminating it — avoids tamper protection alerts triggered by process kill
TrueSightKiller — targets the TrueSight.sys driver (used by some EDRs) to disable kernel-level monitoring. Leverages specific IOCTL calls to blind the driver from reporting process/thread events
GPU VRAM sleep obfuscation — park encrypted shellcode in GPU video memory during sleep cycles. GPU VRAM is not scanned by any current EDR memory scanner — decrypt back to system memory only during execution windows
Service account manipulation — change EDR service account from LocalSystem to a low-priv account via sc config. EDR loses kernel access on next restart — less detectable than process termination
get_cloud_ips — enumerate cloud provider IP ranges (AWS, Azure, GCP) to identify and avoid EDR cloud analysis endpoints. Block outbound connections to EDR cloud infrastructure for offline evasion
08 — Obfuscation Engineering
Compile-time polymorphism, string obfuscation, API hashing, and VM-based protection
OBFUSCATION
LLVM & Compile-Time Obfuscation
COMPILER-LEVEL TRANSFORMATIONS
obfuscator-llvm (Cobalt Strike fork) — compiler-level obfuscation randomizing each build. Can be applied to Sleepmask via Mutator Kit
Dittobytes for PIC obfuscation (painful for multi-file projects)
Rust: loaders succeed where identical C/C++ loaders are flagged. Harder to analyze. Garble recommended for Go
Blog: building custom PE bin2bin obfuscators covers common knowledge for PE obfuscation
OBFUSCATION
String & Import Obfuscation
API HASHING // IMPORT HIDING
API hashing: FNV-1a 64-bit with prefix. Interleave computation with junk/NOP. MBA (Mixed Boolean-Arithmetic) for constants
ADVobfuscator — compile-time C++ string obfuscation
Obfuscate (C++14) and obfstr (Rust) for guaranteed compile-time string obfuscation
Do NOT use import obfuscation libraries with custom shellcode-based stubs. Implement custom RESOLVE(dll, func) macro instead
C#: DynamicPInvoke less obtrusive than PInvoke. DInvoke heavily signatured unless reimplemented from scratch
Procedural macros (Rust) to add random prefix to all PEB-walked functions — prevents fingerprinting
IAT camouflage: add dead-code references to benign WinAPIs (GetTimeZoneInformation, GetLocaleInfoW, etc.) so the import table resembles a legitimate application. Compiler must not eliminate them — use volatile or opaque predicates
OBFUSCATIONEVASION
Data Format Obfuscation (Fuscation)
IPv4 // IPv6 // MAC // UUID ENCODING
IPv4Fuscation: encode shellcode as IPv4 addresses (4 bytes each). Deobfuscate at runtime via RtlIpv4StringToAddressA (ntdll). Used by Hive ransomware
IPv6Fuscation: encode as IPv6 addresses (16 bytes each). Deobfuscate via RtlIpv6StringToAddressA (ntdll)
MACFuscation: encode as MAC addresses (6 bytes each). Deobfuscate via RtlEthernetStringToAddressA (ntdll)
UUIDFuscation: encode as UUID strings (16 bytes each). Deobfuscate via UuidFromStringA (rpcrt4.dll). First 3 segments use little-endian byte order
All deobfuscation uses legitimate NTAPI/RPC functions — no crypto imports in IAT. Data appears as benign network configuration in the binary
Shellcode must be padded to multiples of 4 (IPv4), 6 (MAC), or 16 (IPv6/UUID) bytes
VM
Virtualization & Polymorphic Techniques
VM-BASED PROTECTION // SELF-MODIFICATION
riscy-business — RISC-V VM for code obfuscation, avoids allocating executable memory
PSXecute — MIPS I VM (PlayStation 1 emulator), no executable memory needed
rewolf-x86-virtualizer — VM-based x86 PE protector
VMProtect, Themida — commercial virtualizers
Polymorphic self-modification: self-delete (LloydLabs) then rewrite binary with random bytes to change hash post-execution
anti-llm (llvm-jutsu) — anti-LLM obfuscation via finger counting
NASM-based shellcode obfuscation: disassemble, interleave with junk/NOP, reassemble
OBFUSCATIONEVASION
Entropy Reduction & Pointer Encryption
GENAI-ASSISTED // PTRGUARD
GenAI-Assisted Entropy Reduction — use LLMs (GPT, Claude, local models) to re-encode malware payloads as structured English text, JSON, XML, or code comments; reduces Shannon entropy below heuristic detection thresholds
SugarFree automates entropy reduction by replacing high-entropy shellcode with low-entropy encoded representations — output blends with legitimate application data
ptrguard — pointer encryption technique for memory protection bypass; encrypts function pointers in memory using per-process keys; prevents memory scanners from identifying shellcode dispatch routines; decryption happens inline at call time
09 — Code Signing & PE Manipulation
Certificate abuse, signature manipulation, and binary engineering
Winamp cert reduced VT detections significantly. AVs that bail on signed PE: Avira, DeepInstinct, McAfee Scanner, WithSecure
Limelighter — generates fake code signing certificates. Bypassed CrowdStrike ML on DLL
Self-signed certs: pass unsigned binary EDR check, must be timestamped
EV Code Signing: ~$350/year. Certum as cheaper CA. Full acquisition via ssl.com takes ~3 days — requires LLC + website + phone number. CA enforces MFA on signing portal
MagicSigner — acts as signtool for expired certificates, re-signs with controlled timestamp
CarbonCopy — spoof the certificate chain of any website onto a PE binary
Azure Trusted Signing abuse via certcentral.org database
PE
PE Manipulation & Binary Engineering
SECTIONS // RESOURCES // CHECKSUM
SigFlip — inject arbitrary data into PE certificate area (excluded from signature verification)
OriginalFileName in VersionInformation used by EDRs (especially CS) to detect renamed executables — can't change without invalidating signature
PE2HTML polyglot: embed HTML comments in PE headers for dual-valid file. Run via cmd.exe /c myPE.html (ignores extension)
Resource cloning from legitimate apps affects entropy, similarity metrics, ML features
PE checksum manipulation: changing checksum changes file hash but keeps Authenticode signature intact
RedBackdoorer / Cordyceps — reuses IAT and data sections to deeply integrate into target executables
MS-signed DLLs with RWX sections found in older Windows 10 (System.Management.Automation.ni.dll)
10 — Anti-Analysis & Sandbox Evasion
Execution guardrails, sandbox detection, and anti-emulation techniques
SANDBOX
Anti-Sandbox & Environment Detection
GUARDRAILS // ENVIRONMENT KEYING
whereami BOF — parses TEB/PEB directly for environment strings without touching DLLs
Anti-emulation: GetProcAddress on Defender sandbox-only functions as environment detection
T-1 — shellcode loader using ML techniques to detect VM environments
Server-side deny-list: collect RAM, cores, etc. in stager; evaluate server-side to avoid embedding detection logic in payload
Fake C2 to fingerprint and collect info from sandboxes
ML-based sandbox detection using process lists for profiling
Add delay between anti-sandbox checks and shellcode loading to avoid behavioral correlation
Kernel structure detection: KUSER_SHARED_DATA->InterruptTime (uptime <1hr = sandbox), DbgSecureBootEnabled (no sandbox has SecureBoot). Access via gs: register, zero API calls needed
EDR deconditioning: allocate 100,000+ RW→RX regions before actual payload. Defender gives up scanning. File size inflation: Defender >50MB, CS cloud ML ~35MB cutoff
GUARDRAIL
Execution Guardrails & Keying
DOMAIN PIN // HOST PIN // DNS CHECK
Language/locale check before executing payload (CleverSoar technique)
DNS-based guardrails: resolve specific internal hostnames, check for domain membership
Domain/hostname pinning: payload only executes on specific domain-joined machines matching naming convention
Host Checker bypass: create fake binary named after expected process (e.g., crowdstrike) when VPN checks for running AV
CAPTCHA on landing pages prevents automated scanning by email security
Polyglot files: LNK + ZIP polyglot opens in 7-Zip; extracted files don't propagate MOTW. ZIP concatenation confuses parsers
Corrupted DOCM first bytes bypass spam filters; Word auto-recovery still opens them
ANTI-FORENSIC
Binary Self-Deletion via ADS
NTFS ALTERNATE DATA STREAMS // ANTI-FORENSIC
Problem: Windows prevents deleting a running executable (ERROR_ACCESS_DENIED)
Bypass: open file with DELETE | SYNCHRONIZE, rename the :$DATA stream to arbitrary name (e.g., :X) via SetFileInformationByHandle(FileRenameInfo)
Close handle, re-open file, mark for deletion via SetFileInformationByHandle(FileDispositionInfo) with DeleteFile = TRUE
Binary disappears from disk on handle close while process continues executing from memory
Hinders post-compromise forensic collection — no file to acquire from disk
11 — Payload Delivery & Exotic Formats
HTML smuggling, MSI abuse, BYOI delivery, and unconventional file formats
DELIVERY
HTML Smuggling & Web Delivery
WASM // TRANSPILER ABUSE
Use transpilers to generate JavaScript: Python (Pyodide/WebAssembly), Java (GWT), Go, Rust
WorstFit — Windows ANSI transformation for command line detection bypasses, Sigma rule bypasses, LOLBin abuse
HTTP.sys backdoor — kernel-mode HTTP server from usermode without admin. Port shows as System process
Browser extension C2: silently install Chrome extensions for persistence + C2. Extensions proxy traffic through Chrome's network stack, defeating hardware-based checks. Native messaging API bridges to native implant
DELIVERY.NET
.NET & CLR Execution Frameworks
RUNSPACE // BOF.NET // APPDOMAIN
BOF.NET — .NET assemblies through CS BOFs. Built-in AMSI/ETW patching. Rename all BOFNET.* namespaces and replace CLRCreateInstance with LdrLoadDll
ETW reports .NET module loads including static class/function names (from .NET 4.8+) — EDRs get low-level insight
ShadowShell — PowerShell without powershell.exe using custom CLR runspace
UnmanagedPowerShell — execute PowerShell from unmanaged process
DllExport (.NET) — hacky workaround to give .NET assemblies native-like exports
AppDomain Manager injection: alternative to DLL sideloading as MS moves toward blocking unsigned DLL loads
DELIVERYEVASION
LNK Weaponization, VBA-to-CLR & Office RCE
DARKLNK // VBA2CLR // CVE-2025-21365
DarkLnk — advanced malicious LNK file creation tool; generates weaponized shortcuts with embedded payloads, custom icons, and evasion features
vba2clr — execute .NET assemblies directly from VBA macros; bridges VBA and CLR runtime; loads arbitrary .NET payloads from Office documents without dropping files to disk
CVE-2025-21365 — Microsoft Office RCE (Word, PowerPoint, Outlook); logic bug in Office's built-in protections; enables code execution through crafted documents that exploit process continuation mechanisms
DELIVERYEVASION
MSC, ClickOnce & Exotic Delivery Formats
MSC // CLICKONCE // SVG SMUGGLING // BYOI
MSC files (Management Saved Console): XML-based Microsoft Management Console snap-in files. Can execute commands via TaskPads, StringTables, and COM objects. Bypasses many email gateway filters — not commonly blocked
ClickOnce (.application): Deploys .NET executables from a URL with one click. SmartScreen checks publisher signature but execution happens via legitimate dfsvc.exe. WinRAR doesn't propagate MOTW to ClickOnce manifests
SVG smuggling: Embed JavaScript payload inside SVG image files. SVG opens in browser by default, JS executes to drop payload via HTML smuggling within the image context. Bypasses email attachment filters that allow images
BYOI Python: Bring Your Own Interpreter — bundle Python runtime (embedded distribution, ~15MB) with payload. Signed python.exe executes unsigned .py/.pyc scripts. Defenders rarely monitor Python process trees
WEAPONIZE_DOTNET (MacroPack Pro): Package .NET assemblies as self-contained delivery payloads with built-in AMSI bypass and runtime control. --control-dotnet-runtime patches CLR.DLL AmsiScanBuffer at load time
Unconventional file types, hidden extensions, and Mark-of-the-Web evasion
FORMAT
.winget & Package Manager Abuse
DSC CONFIG // NO SMARTSCREEN
.winget files execute winget.exe configure with YAML DSC config. Default on Windows 11. No SmartScreen warning triggered
MOTW is not applied to .winget files — anything winget executes has no SmartScreen
Acceptance prompt bypass: echo Y |, --accept-configuration-agreements (v1.11.430+), or --disable-interactivity (admin)
Can execute PowerShell, write registry, create processes via YAML DSC
Chain with polyglot .lnk: more on LNK followed by winget configure on resulting YAML
Chocolatey abuse: create malicious .nupkg packages with payload in chocolateyInstall.ps1. ChocoBonzer: C++ reflective DLL loader variant
FORMAT
Hidden Extension File Types
PIF // WAX // URL // SUO
.pif files: passed to same ShellExecute as EXEs — a renamed EXE with .pif extension runs normally. Windows always hides .pif extension even with "show all extensions" enabled (1 of 16 hidden types)
calc.docx.pif appears as "calc.docx" to user. Outlook blocks PIFs, deliver via archives
.wax files: Windows Media playlists that reference remote UNC paths for NTLM hash capture. Host valid voicemail before poisoned reference to suppress errors
.url files: zero-day allowing NTLM credential capture by merely viewing in Explorer (no click)
.suo files: Visual Studio Solution User Options execute code on initial project open (used by DPRK actors targeting researchers)
.pac files: Proxy Auto-Configuration creates 12-hour JavaScript context in browser. MITM delivers malicious PAC that persists
MOTW
MOTW Bypass Techniques
MARK-OF-THE-WEB EVASION
ADS bypass: MOTW (Zone.Identifier) is itself an ADS. Data inside nested ADS streams doesn't receive MOTW propagation — same principle as ISO inner files. RAR/WIM archives preserve ADS
RAR file type gaps: WinRAR propagates MOTW to LNK but not to XLL, JS, URL, ClickOnce, IQY, CPL, WSF, CHM — these execute without SmartScreen
NachoVPN — malicious SSL-VPN server exploiting VPN client configs for credential disclosure + RCE. Doesn't work through Zscaler
BLE C2: client/server model using GATT/GAP protocols. Stable Windows executable over Bluetooth. macOS: exfiltrated passwords via fake prompt over BLE (no TCC/Gatekeeper/codesign complaints)
PipeTap — named pipe proxy with ImGui for inspecting/manipulating/replaying pipe comms
pipe-intercept — intercept named pipes via Burp-style HTTP proxy
EDR DLLs communicate via named pipes — fuzzing target for EDR bypass research
CVE-2025-21298: Windows OLE zero-click RCE via email
CHAIN
ETW Event Binning & DripLoader Pattern
API CALL INTERLEAVING // TELEMETRY EVASION
EDRs consume ETW-Ti events but must bin/sample due to volume — interleave malicious API calls with benign-looking ones
Write NOP pages to target process interspersed with actual shellcode write — EDR deduplication may drop the real payload write
Guessing EDR's binning pattern: how to segment, intermingle, and reorder API calls is the key challenge
Principle behind DripLoader efficiency — drip-feed small writes that individually appear benign
CHAIN
COM Execution Dechaining
OUT-OF-PROCESS COM // PARENT-PID BREAK
Use out-of-process COM objects to break parent-child process relationship: WScript.Shell, Shell.Application, Visual Studio DTE
Execution originates from COM server (svchost), not attacker's process — breaks EDR process attribution
Scheduled Task via DCOM: modify tasks via COM interface. Originating process appears as svchost, making triage extremely difficult
EDRs have telemetry gaps around COM IPC for task scheduler operations — many sample rather than capture all calls
CHAIN
Polyglot LNK Techniques
LNK POLYGLOTS // SINGLE-FILE DELIVERY
LNK + VBS: append VBS to LNK (COPY /B a.lnk+b.vbs c.lnk). LNK target extracts and executes appended payload. Single-file delivery
LNK + ZIP: append ZIP containing signed EXE + malicious DLL + decoy PDF. LNK extracts and triggers sideloading
LNK → MSHTA: polyglot exploits mshta's tolerance for garbage data. mshta skips unparseable lines and executes valid HTA/VBS code found within
LNK → LNK (WebDAV): first LNK points to second LNK on WebDAV, which triggers signed EXE sideloading. Double indirection
desktop.ini cloaking: CLSID={88C6C381...} + attrib +s +h +r makes folder appear empty in Explorer even with hidden items shown. 7-Zip/WinRAR archives preserve these attributes
14 — Payload OPSEC & Testing
Operational security, signature awareness, and detection pipeline
OPSEC
Evasion Taxonomy
COMPREHENSIVE DETECTION LAYERS
Static signature: custom code, LLMs for generation, ImpHash/TypeRefHash busting
Heuristic: no off-the-shelf packers, sign payloads with expired/leaked certs
Cloud-reputation: backdoor known binaries (prefer DLLs), abuse scripts (ps1, js, msc, xsl, bat, au3), lesser scrutinized vectors
ML evasion: file-bloating, payload staging, encoding (substitution, ASCII85, ALPHA32, base64 variants), signing. Entropy reduction: pad encrypted payloads with English word lists or structured data to lower Shannon entropy below detection thresholds
LitterBox — sandbox for testing payloads against detection. MCP/LLM integration
RedEdr — collect Windows telemetry for malware development. Paired with "The (Anti-)EDR Compendium"
ShellcodeObfuscationLab — key finding: encoding type doesn't matter for detection; IAT presence is primary static indicator
Always test vs at least one sophisticated EDR before engagements. Get EDR lab licenses via third-party resellers
Multiple loaders with different hashes and C2/C3 variants recommended (4-5 per engagement)
What defeats payloads: hardened WDAC/AppLocker, Intel CET/kernel shadow stacks, reusing same loader (similarity metrics)
Build OPSEC: prevent username/path leaks. Rust/MSVC: -Clink-arg=/DEBUG:NONE. Go: garble with -literals -tiny. Use alloca for stack allocation to avoid VirtualAlloc/HeapAlloc telemetry
CRT removal: strip C Runtime library to eliminate CRT string signatures and reduce binary footprint. MSVC: /NODEFAULTLIB + custom entry point via /ENTRY. Replace memcpy/memset/strlen with custom intrinsics. Removes __security_init_cookie, _initterm, and other CRT artifacts from IAT
CHAIN DESIGN
Delivery Chain Strategic Principles
ARCHITECTURE DECISIONS
Archives with multiple files survive on-write AV better than single-file archives — blend with billions of legitimate downloads
LNK files remain primary trigger but face increasing pressure (MOTW, SmartScreen, CS flags LNKs >260 chars or with download cradle keywords)
BAT/CMD are second most common trigger — currently viable because MOTW checks not enforced on cmd.exe
KISS principle: shorter chains more effective. Each step increases detection probability
MOTW written by extracting application, not archive format — archiver version and format significantly affect propagation behavior
Unsigned EXEs may survive in SFX/iexpress contexts where ML ingested enough benign carriers
Backdooring existing DLLs > creating new ones: maximizes file resemblance to known-good corpora
15 — Attack FlowChains
End-to-end payload delivery and evasion chains
▸ Node.js Sideload Chain
HTML SmugglingZIP ArchiveLNK → signed node.exerequire('./evil.node')DLL Sideload → Beacon
Malicious .RDP FileRDP Logon Script RunsCopy DLL + SCT + BAT to VictimTypeLib COM Hijack SetupPersistent COM Execution
▶ ADS MOTW Bypass Chain
Hide Payload in NTFS ADSPackage in RAR/WIM (Preserves ADS)Victim Extracts ArchiveBAT Reads Payload from ADSExecute Without MOTW
▶ Polyglot LNK + ZIP Sideload Chain
Create LNK + Append ZIPZIP: Signed EXE + DLL + DecoyLNK Self-Extracts ZIP DataSigned EXE Sideloads DLLBeacon + Decoy PDF Opens
▶ MSI + DLL Sideload + Startup Persistence
MSI Install PackageUnpack Signed EXE + Malicious DLLExecute Sideloading ChainPlant LNK in shell:StartupReboot → Auto-Sideload
▶ SessionHop COM → Cross-Session Injection → User Context Execution
Enumerate COM ObjectsIdentify Cross-Session CLSIDInstantiate in Target SessionSession 0 → InteractiveInject Payload via COM MethodCode Execution in User Context
Generate ShellcodeFeed to LLM / SugarFreeRe-encode as Low-Entropy TextEnglish/JSON/XMLEmbed in Legitimate-Looking BinaryShannon Entropy Below ML ThresholdBypass Heuristic + ML Detection
16 — Tool Arsenal
Categorized reference of tools, frameworks, and utilities
Shellcode & Loaders
DonutPE/Assembly → PIC shellcode convertersRDIDLL → position-independent shellcodeSGNPolymorphic shellcode encoder (requires RWX)DeoptimizerStructural shellcode transformationLexiCryptSubstitution cipher shellcode encryptorRustLuaLoaderLua-embedded Rust shellcode dropperbtexecBluetooth callback shellcode executionPSXecuteMIPS I VM execution (no exec memory)DojoLoaderGeneric PE loader for evasion prototypingkonekoCS shellcode loader with advanced evasionShhhloaderPublic loader with extensive evasion optionsT-1ML-based VM detection shellcode loaderHuffLoaderHuffman-encoded shellcode obfuscation loaderPIClinPIC compilation from C/Rust/Zig sourceSnapLoaderShellcode injection into ntdll memory spaceRogueLoaderUser-land hook bypass loader with unhooking
Reflective Loaders & PIC
BokuLoaderReflective loader for Cobalt StrikeOdinLdrUDRL with KrakenMask sleep obfuscationAceLDRUDRL with FOLIAGE + Gargoyle integrationTitanLdrReflective loader with DNS-over-HTTPSCrystal PalacePIC DLL loader linker by Raphael MudgeEPICC-to-PIC shellcode development toolkitKrakenMaskSleep obfuscation with memory encryptionMemoryModuleLibrary for loading DLL from memory
EDR Evasion & Bypass
UnhookMeUniversal API resolver and unhookerpatchwerk BOFOverwrites Nt* stubs with clean syscallsNull-AMSI.NET Reflection AMSI/ETW bypassStracciatellaAppDomain AMSI reflective disableKrueger.NET remote EDR killing via WDACBOAZMultilayered AV/EDR evasion frameworkStoneKeeperExperimental EDR evasion C2InceptorTemplate-driven AV/EDR evasion frameworkProtectMyToolingChain multiple .NET/PE obfuscatorsEvadeXFramework with CPL and format supportLatLoaderDocuments specific Elastic rule bypassesSunderBYOVD rootkit (Lazarus FudModule model)LimelighterFake code signing certificate generatorMagicSignerSigntool for expired certificates with timestamp controlCarbonCopySpoof certificate chain of any website onto PEWindowsDowndateWindows Update hijack for downgradesColdWerEDR process termination via vulnerable driversFairy-LawMass EDR process termination via BYOVDEDR-GhostLockerEDR driver file locking for persistent blindnessptrguardPointer encryption for memory scanner evasion
Injection & Sideloading
DllShimmerWeaponize DLL hijacking for any functionGimmeShelterFind injection-friendly DLLs (RWX, signed)VladimiREDAppDomainManager MDE bypassClearVeh.cClear EDR-registered VEH handlersNo-ConsolationBOF for inline PE with module overloadingRedBackdoorerIAT/data section PE integrationSigFlipInject data into PE certificate areaShellter ProAutomated DLL backdooring without cavesSessionHopCOM-based cross-session injection
Obfuscation & Signing
obfuscator-llvmCompiler-level obfuscation (CS fork)ADVobfuscatorCompile-time C++ string obfuscationObfuscateC++14 guaranteed compile-time stringsobfstrRust compile-time string obfuscationConfuserEx2.NET obfuscator (remove watermarking)GarbleGo binary stripping and obfuscationriscy-businessRISC-V VM code obfuscationllvm-jutsuAnti-LLM obfuscationSugarFreeGenAI-assisted entropy reduction for payloads
Delivery & BYOI
WALKRust-WebAssembly HTML SmugglingSilkWASMGo-WebAssembly HTML SmugglingPyramidPython-based EDR blind spot operationPythonMemModulePure Python DLL loading from memoryod_importReflective Python C extension loadingBOF.NET.NET assemblies through CS BOFsShadowShellPowerShell via custom CLR runspaceRed Macros Fact.Initial access framework (100+ formats)DarkLnkAdvanced malicious LNK file creation toolvba2clrExecute .NET assemblies from VBA macros
Testing & Analysis
LitterBoxPayload testing sandbox with LLM/MCPRedEdrWindows telemetry collector for maldevShellcodeObfLabShellcode obfuscation test benchMonetaMemory scanner for detection testinghollows_hunterMemory scanning and PE detectionFridaDynamic instrumentation frameworkcapaStatic capability identificationThreatCheckSignature identification toolDetonatorOnline payload testing platform (detonator.r00ted.ch)binlexBinary genetic traits lexer frameworkwhereami BOFEnvironment detection via TEB/PEB
Call Stack & Syscall Tools
LoudSunRunStack spoofing with synthetic framesCallStackSpoofHWBP-based call stack spoofingDraugrBOF with synthetic stackframeSysWhispers2/3SSN resolution via Zw function sortingNimSyscallPackNim-based syscall packer for EDR bypassInlineWhispers3Inline syscalls for BOFsNullGateIndirect syscall via null byte SSN resolutionHellshazzardHybrid HellsGate with extra obfuscation layersEbyte-SyscallsObfuscated syscall stubs for API call hiding
Exotic Formats & LOLBins
cmdizeBAT polyglot/self-extracting converterNachoVPNMalicious SSL-VPN server for RCE/credsWSL_Payload_Bldr Custom WSL distros with embedded payloadsUniObfuscatorJava Unicode escape obfuscatorPipeTapNamed pipe proxy with ImGui interfacepipe-interceptNamed pipe interception via HTTP proxyOleViewDotNet.NET OLE/COM viewer and inspectorSpartacusDLL/COM hijacking enumeration toolkitBlueDuckyBluetooth pairing exploit (0-click)TunnelVisionVPN bypass via DHCP manipulationbloatware-pwnRazer Synapse 4 LPE exploitDriverJackKernel driver abuse toolkitpe2shcEXE/DLL→shellcode (9/70 to 0/70)GhostEvasive shellcode loaderImmoralFiberFiber injection + callstack maskingavredMulti-signature identification (better ThreatCheck)