A Systems Security Research Adventure - Tradecraft Garden
EDR Evasion: Using LLMs to Cut Detection Signatures
Stripping your binary makes EDR detection worse, not better. See how an LLM and VirusTotal automate antivirus evasion by blending in instead.
TwoSevenOneT/EDR-Freeze: EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
tijme/dittobytes: Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE.
Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE. - GitHub - tijme/dittobytes: Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE.
DefendNot: Turning Windows Defender Against Itself
Rather than tampering with Defender processes or registry keys, DefendNot takes a different approach by registering a fake antivirus through the Windows Security Center (WSC) COM interface. Because Defender is built to step aside when third-party antivirus software is present, this spoofed registration triggers Windows’ own conflict resolution logic. Technical Breakdown: Abusing Windows’ Own Conflict Resolution At the core of DefendNot’s technique is the Windows Security Center (WSC), a native Windows component responsible for managing security products like antivirus and EDR solutions. It registers itself as a fake antivirus inside WSC, convincing Windows to do the work of disabling Defender on its behalf. These paths are normally used by Windows to track legitimate antivirus products. Once those keys are in place, WSC accepts the registration as valid and replaces the Defender entry with the spoofed antivirus. Detection Mechanisms Although Microsoft Defender for Endpoint’s logging is degraded once DefendNot is active, defenders can still detect its activity. Each of these contains a GUID that may appear arbitrary, but these GUIDs represent the spoofed antivirus registered by DefendNot alongside the legitimate Defender entry. The registry entries also store metadata pointing to the DLL responsible for handling antivirus or AMSI functions, giving defenders another way to confirm tampering. Detection Opportunities Monitoring for registry modification and creation events under the following keys can provide strong indicators of DefendNot’s presence: HKLM\SOFTWARE\Microsoft\Security Center\Provider\AV HKLM\SOFTWARE\Microsoft\AMSI\Providers\ WMI\AutoLogger\DefenderAuditLogger WMI\AutoLogger\DefenderApiLogger HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks We've published detection and threat hunting criteria to help security teams identify DefendNot activity. This involves: Deleting persistence-related registry keys under the TaskCache path Removing spoofed provider entries at: HKLM\SOFTWARE\Microsoft\Security Center\Provider\Av HKLM\SYSTEM\CurrentControlSet\Services\AMSI\Providers Deleting the associated DLL listed in the InProcServer32 path under the spoofed antivirus GUID Once these artifacts are removed, restart the machine and confirm Defender’s operational status by running: Get-MpComputerStatus This validation ensures that spoofed antivirus registrations have been cleared and that Microsoft Defender is once again actively protecting the system. Instead of disabling Microsoft Defender through brute force techniques, it convinces Windows that another antivirus product is already installed and trusted. Attackers are increasingly building tools designed to blind security products, whether through aggressive EDRKillers like KillerUltra or deceptive techniques like DefendNot.
vxCrypt0r/Voidmaw: A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).
A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables tha...
Modern obfuscation techniques - Modern_obfuscation_techniques.pdf
DosX-dev/obfus.h: Macro-header for compile-time C obfuscation (tcc, win x86/x64)
Macro-header for compile-time C obfuscation (tcc, win x86/x64) - DosX-dev/obfus.h
pygrum/gimmick: Section-based payload obfuscation technique for x64
Section-based payload obfuscation technique for x64 - pygrum/gimmick
vxCrypt0r/Voidgate: A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encry...
adamyaxley/Obfuscate
Guaranteed compile-time string literal obfuscation header-only library for C++14
Binary obfuscation - String obfuscating in C
The first step in reversing any binary for any purpose is to try and elicit any meaningful information that is most easy to retrieve. One such information is clear text strings in the binary. They may disclose a lot of information if the programmer did not take care to remove …
netero1010/GhostTask
Creating a scheduled task solely through registry key manipulation.
myzxcg/RealBlindingEDR
Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback...
pard0p/Cordyceps
C++ self-Injecting dropper based on various EDR evasion techniques.
Mr-Un1k0d3r/DKMC
DKMC - Dont kill my cat - Malicious payload evasion tool
Malware EDR Evasion Techniques
Yo, how’s it going everyone. Sorry it’s been a while since my last post. Fear not, I’m geared up and ready to dive in to a full discussion on Malware evasive maneuvers…specifically, .js files for the first drops on a machine. Oh and yes, you’re reading that correctly. I said .js, because believe it or not it is still actively used and HIGHLY effective at bypassing your most common EDR solutions today. Why is that? Well, it’s likely due to a few reasons:
AMSI.fail
AMSI.fail generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
GitHub - NUL0x4C/TerraLdr: A Payload Loader Designed With Advanced Evasion Features
A Payload Loader Designed With Advanced Evasion Features - GitHub - NUL0x4C/TerraLdr: A Payload Loader Designed With Advanced Evasion Features
TheD1rkMtr/PE-Obfuscator: PE obfuscator with Evasion in mind
PE obfuscator with Evasion in mind. Contribute to TheD1rkMtr/PE-Obfuscator development by creating an account on GitHub.
icyguider/LightsOut
Generate an obfuscated DLL that will disable AMSI & ETW
zer0condition/mhydeath
Abusing mhyprotect to kill AVs / EDRs / XDRs / Protected Processes.