APC Queue Injection EDR Evasion in Rust
-
Updated
Jun 30, 2024 - Rust
APC Queue Injection EDR Evasion in Rust
Whenever PowerShell is launched, Notepad will also open. You can customize the script for educational purposes, but I emphasize that I do not take any responsibility for its use or any actions taken.
Mostly malicious or abusable powershell I've written
An (WIP) EDR Evasion tool for x64 Windows & Linux binaries that utilizes Nanomites, written in Rust.
Event Tracing for Windows EDR bypass in Rust
Use hardware breakpoints to spoof the call stack for both syscalls and API calls
Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust
Kraken Crypter v5 (Native/Turbo)
Abusing Windows fork API and OneDrive.exe process to inject the malicious shellcode without allocating new RWX memory region.
Hidedump:a lsassdump tools that may bypass EDR
"AMSI WRITE RAID" Vulnerability that leads to an effective AMSI BYPASS
Evade EDR's the simple way, by not touching any of the API's they hook.
Nim process hollowing loader
PowerJoker is a Dynamic PowerShell Reverse-Shell Generator; Unique Payloads with different results on Each Execution.
Kraken Crypter v5 (Native/Turbo)
silence file system monitoring components by hooking their minifilters
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".
Add a description, image, and links to the edr-bypass topic page so that developers can more easily learn about it.
To associate your repository with the edr-bypass topic, visit your repo's landing page and select "manage topics."