outflanknl / edr-internals
Tools for analyzing EDR agents
☆200Updated 3 months ago
Related projects: ⓘ
- A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.☆301Updated last year
- Slides & Code snippets for a workshop held @ x33fcon 2024☆228Updated 3 months ago
- Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…☆197Updated this week
- A proof of concept for abusing exception handlers to hook and bypass user mode EDR hooks.☆164Updated 8 months ago
- ☆102Updated 2 months ago
- Open Source C&C Specification☆215Updated last month
- Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST☆156Updated 11 months ago
- comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reducti…☆193Updated 3 months ago
- A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.☆320Updated 3 months ago
- Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths☆272Updated last month
- EDRSandblast-GodFault☆239Updated last year
- Local & remote Windows DLL Proxying☆158Updated 3 months ago
- Exploitation of process killer drivers☆182Updated 11 months ago
- ☆242Updated 7 months ago
- Blocks EDR Telemetry by performing Person-in-the-Middle attack where network filtering is applied using iptables. The blocked destination…☆136Updated last month
- Various resources to enhance Cobalt Strike's functionality and its ability to evade antivirus/EDR detection☆233Updated 4 months ago
- Hide shellcode by shuffling bytes into a random array and reconstruct at runtime☆174Updated 2 months ago
- GregsBestFriend process injection code created from the White Knight Labs Offensive Development course☆171Updated last year
- CIA UAC bypass implementation that utilizes elevated COM object to write to System32 and an auto-elevated process to execute as administr…☆174Updated 8 months ago
- ☆181Updated 7 months ago
- ☆171Updated last month
- Generate an obfuscated DLL that will disable AMSI & ETW☆312Updated 2 months ago
- Native Syscalls Shellcode Injector☆259Updated last year
- An EDR bypass that prevents EDRs from hooking or loading DLLs into our process by hijacking the AppVerifier layer☆387Updated 7 months ago
- Use hardware breakpoint to dynamically change SSN in run-time☆227Updated 5 months ago
- PoC for using MS Windows printers for persistence / command and control via Internet Printing☆139Updated 4 months ago
- C2 Infrastructure Automation☆82Updated last month
- Apply a divide and conquer approach to bypass EDRs☆268Updated 11 months ago
- ☆290Updated last year
- Patch AMSI and ETW☆227Updated 4 months ago