Defense Evasion

Advanced techniques for evading endpoint detection and response (EDR), antivirus, and security monitoring during red team operations and adversary simulation.

Overview

Modern Endpoint Detection and Response (EDR) solutions represent the most significant challenge for red team operations. These tools employ multiple detection layers—userland hooking, kernel callbacks, behavioral analysis, and machine learning—creating a sophisticated defense matrix that operators must understand and navigate.

Defense evasion is not about "hacking past security"—it's about demonstrating realistic adversary capabilities to help organizations understand their true security posture. Blue teams use this knowledge to identify detection gaps and improve their defenses.

Purpose of Evasion Techniques

Defense evasion techniques exist to simulate real-world adversaries during authorized security assessments. Understanding how attackers evade detection helps defenders build more robust detection strategies and response playbooks.

EDR Evasion Techniques

EDR Evasion Techniques - Comprehensive guide to bypassing endpoint detection and response systems

Detection Mechanisms to Evade

Userland Hooking

EDRs inject DLLs into processes to intercept API calls:

API Category	Common Hooked Functions
Memory	`VirtualAlloc`, `VirtualProtect`, `VirtualAllocEx`
Process	`CreateRemoteThread`, `WriteProcessMemory`
Execution	`CreateProcess`, `NtCreateThreadEx`
Networking	`connect`, `send`, `recv`

Kernel-Level Monitoring

Kernel callbacks - Process/thread creation, image loading
Minifilter drivers - File system operations
ETW providers - System-wide event tracing
AMSI - Script and memory content scanning

Behavioral Analysis

Suspicious parent-child process relationships
Command-line argument anomalies
Memory allocation patterns (RWX)
Network connection timing and destinations

Evasion Categories

Process Injection Techniques

Classic Injection

// Standard injection pattern (heavily detected)
VirtualAllocEx() → WriteProcessMemory() → CreateRemoteThread()

Advanced Techniques

Process Hollowing - Replace legitimate process image
Thread Hijacking - Hijack existing threads
APC Injection - Queue user-mode APCs
Early Bird - Inject before process initialization
Module Stomping - Overwrite legitimate DLL

API Hooking Bypass

Direct Syscalls Bypass userland hooks by calling syscalls directly:

// Instead of calling NtAllocateVirtualMemory through ntdll.dll
// Call the syscall directly
mov r10, rcx
mov eax, [syscall_number]  // e.g., 0x18 for NtAllocateVirtualMemory
syscall

NTAPI Unhooking Restore original ntdll.dll bytes to remove EDR hooks:

Map fresh copy of ntdll.dll from disk
Compare .text sections
Restore original bytes

Memory Evasion

Reflective DLL Loading - Load DLLs without LoadLibrary
Module Overloading - Hide code in legitimate DLL space
Heap Encryption - Encrypt sensitive data in memory
RX Memory - Avoid RWX allocations

Obfuscation Techniques

Payload Obfuscation

AES/XOR encryption of shellcode
String encryption and runtime decryption
Control flow obfuscation
API hashing for dynamic resolution

Signature Evasion

Custom packers and crypters
Metamorphic code generation
Timestamp manipulation
Rich header modification

Living Off the Land (LOLBAS)

Abuse trusted Windows binaries to evade detection:

Binary	Technique
`msbuild.exe`	Execute inline C# tasks
`regsvr32.exe`	Download and execute SCT files
`certutil.exe`	Download files, encode/decode
`rundll32.exe`	Execute DLL exports
`mshta.exe`	Execute HTA/JavaScript