Prevent any DLL from hooking using child process and debug capabilities
https://hadess.io/the-art-of-hiding-in-windows/
This map lists the essential techniques to bypass anti-virus and EDR
https://raw.githubusercontent.com/CMEPW/BypassAV/main/img/Bypass-AV.png
https://cmepw.github.io/BypassAV/
https://pre.empt.dev/posts/maelstrom-edr-kernel-callbacks-hooks-and-callstacks/
https://www.ired.team/offensive-security/defense-evasion
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://jackson_t.gitlab.io/edr-reversing-evading-01.html
https://www.youtube.com/watch?v=85H4RvPGIX4
https://synzack.github.io/Blinding-EDR-On-Windows/
Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
https://github.com/optiv/Mangle
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
https://github.com/wavestone-cdt/EDRSandblast
USER LAND:
![[Untitled 112.png|https://www.first.org/resources/papers/telaviv2019/Ensilo-Omri-Misgav-Udi-Yavo-Analyzing-Malware-Evasion-Trend-Bypassing-User-Mode-Hooks.pdf]]
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
KERNEL LAND:
https://web.archive.org/web/20200807041149/www.deniable.org/windows/windows-callbacks
https://www.matteomalvica.com/blog/2020/07/15/silencing-the-edr/
https://pre.empt.dev/posts/maelstrom-edr-kernel-callbacks-hooks-and-callstacks/
https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6