Evasion

Examples mentioned in the slides:

• Advisory on New Endpoint Detection and Response (EDR) Killer Tool Used by Multiple Ransomware Groups Computer Security Agency, Singapore (August 2025)
• Should Security Solutions Be Secure? Maybe We're All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256)

The techniques listed below are out of scope (not discussed in the course) but may be interesting.

EDR Bypass

• Evading Anti Virus Focused on metasploit and msfvenom, but very interesting and relatively easy to understand.
• Avoiding Detection with Shellcode Mutator A tool that mutates exploit source code without affecting its functionality, changing its signature and making it harder to reliably detect as malicious.
• List of techniques for bypassing AV and EDR, with a nice graphic.
• Let's create an EDR and bypass it.
• Meterpreter vs Modern EDR(s) describes experiments for injecting payloads with Meterpreter while bypassing EDR (Endpoint Detection and Response: the modern term for indicating an "Antivirus"). Section "Meterpreter Reference Dropper" contains an example of usage of msfvenom.
• Interesting Technique to Launch a Shellcode Basically, the CallWindowProc API function accepts any function pointer and blindly executes it, without creating any new thread. Many EDRs monitor CreateThread/NtCreateThreadEx but not this function (August 2025).
• Break The Protective Shell Of Windows Defender With The Folder Redirect Technique I will demonstrate the technique of breaking into the protected folder that contains the executable files of Windows Defender. From there, we can manipulate Defender at will, such as side-loading DLLs, destroying executable files to prevent the service from running, and more. (September 2025)
• Silent Harvest: Extracting Windows Secrets Under the Radar I’ll share a new, simple approach I developed that successfully bypasses almost all EDRs I’ve tested...I’ll reveal the method I discovered to evade EDR detection and how it can enhance red team operations. In practice, calling RegQueryMultipleValuesW (even repeatedly against highly sensitive values in SAM or SECURITY) triggered zero alerts on every EDR platform I tested. My working hypothesis is that vendors concentrated on the far more common single-value APIs (RegQueryValueExW, NtQueryValueKey, etc.) and simply never added this rarer interface to their hook lists.(August 2025)
• Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals ...stealthy modification of the Windows Registry as a low privilege user. It’s been almost a year since we first deployed this technique in the wild, and given enough time has passed, it seems appropriate to share what we’ve learned...The fundamental issue is that EDR hooks into the standard Registry APIs...This creates an interesting challenge: how do you get registry persistence without actually touching the registry? (January 2026)

EDR Kill

• RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks (October 2025).
• EDR-Freeze: A Tool That Puts EDRs And Antivirus Into A Coma State (September 2025)
• Ransomware crews don't care about your endpoint security – they've already killed it. RealBlindingEDR is an open-source tool designed to disable endpoint detection and response products, and Crypto24's custom version is programmed to disable kernel-level hooks from a hardcoded list of 28 security vendors. These include Sophos, Trend Micro, Kaspersky, Malwarebytes, Bitdefender, Broadcom/Symantec, SentinelOne, Cisco, Fortinet, and Citrix. (August 2025)
• Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter An attacker can execute various actions on the victim's EDR system to remain undetected: dropping DLL files for hijacking, placing executable files to trigger the EDR on their behalf, or simply blocking and disabling the processes and services of the EDR (October 2025).
• TrueSightKiller: 2,500+ Weaponized Security Tool Variants Bypassing Microsoft's Defenses Threat actors are weaponizing a legitimate Windows security driver to execute a BYOVD (Bring Your Own Vulnerable Driver) attack, terminating EDR and antivirus protections before deploying malware. Over 2,500 validly signed TrueSight driver variants are actively bypassing Microsoft defenses (March 2026).
• 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security (March 2026)
• Qilin EDR killer infection chain In-depth analysis of the malicious “msimg32.dll” used in Qilin ransomware attacks, which is a multi-stage infection chain targeting EDR systems. It can terminate over 300 different EDR drivers from almost every vendor in the market. (I have mapped this report in the spreadsheet that I use for automatic extraction of MITRE ATT&CK techniques).