Read as
Last updated: April 29, 2026
AMSI bypass, ETW blinding, direct syscalls, unhooking, module stomping, and the attacker-defender arms race in 2026.
Modern EDR in 2026 is dramatically better than it was five years ago. Mimikatz.exe dropped to disk is dead on arrival. PowerShell AMSI detects obfuscated scripts. ETW tracks every process creation and API call. Memory scans find classic C2 beacon signatures in seconds. This module covers the current evasion techniques, what still works, and what has been effectively closed off — Expert-tier content, assumes you completed Modules 1-4.
The three layers of modern endpoint defence
- Kernel-level telemetry — ETW (Event Tracing for Windows), kernel callbacks, process creation notify routines. Feeds the EDR. Very hard to blind without a kernel driver (which is signed-required)
- User-mode hooking — EDR injects a DLL into every process; hooks sensitive Win32/NTAPI functions. Catches in-process activity that kernel can’t easily see
- Behavioural analytics in the cloud — the EDR correlates telemetry across endpoints and over time. Single anomaly might be ignored; a pattern fires
Evasion works at each layer differently.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants