EDR Bypass Techniques 2026 — What Microsoft Actually Killed and What Still Works

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
May 8, 2026
6 min read
Read as
EDR-bypass techniques in 2026 cluster around four families: BYOVD (bring-your-own-vulnerable-driver) for kernel-mode code execution, syscall hooking unhook + direct syscalls for userland evasion, DLL sideloading for trusted-process injection, and indirect persistence via legitimate cloud services (GitHub, Cloudflare Workers, Discord) for C2. Microsoft’s 2024-2025 driver-blocklist update killed several BYOVD families; major EDRs added kernel callbacks that detect direct syscalls; sideloading remains effective. This post is the realistic state of EDR-bypass for red teams and the corresponding 2026 detection-engineering priorities for blue teams.

“EDR bypass is dead” gets repeated every year and is wrong every year. The techniques shift; the cat-and-mouse continues. The 2026 landscape is genuinely different from 2023’s because Microsoft and the major EDR vendors made real architectural changes. Tracking what changed matters — both for red teams designing engagements and blue teams sizing their detection coverage.

Family 1 — BYOVD (bring your own vulnerable driver)

Status: degraded but not dead. Microsoft’s vulnerable driver blocklist (delivered via Windows Defender Application Control, WDAC, and HVCI) shipped a major update in 2023-2024 that added 100+ commonly-abused drivers (RTCore64.sys, Mhyprot2.sys, dbutil_2_3.sys, etc). For up-to-date Windows 11 22H2+ with HVCI on, those specific drivers no longer load.

What still works: drivers not yet on the blocklist. New vulnerable drivers ship monthly; updates to the blocklist lag by quarters. Living-Off-The-Land Drivers (LOLDrivers) project tracks these continuously.

Red-team posture: BYOVD is now a “stage 2” technique — you need EDR-bypass at userland first, then kernel-mode for tougher hosts. The bypass-from-zero workflow is harder.

Blue-team posture: ensure HVCI is on for all Windows 11 endpoints. Block driver-load events in Sentinel for any driver not in your golden image. Sigma rule for “driver loaded from %TEMP%” is high-fidelity.

Family 2 — Syscall unhooking + direct syscalls

Status: harder than 2023. The technique: EDRs hook userland NTDLL functions to inspect syscalls; unhooking removes those hooks (by remapping a fresh ntdll.dll from disk). Direct syscalls bypass userland entirely by issuing the SYSCALL instruction with the right syscall number directly.

2023-2024 EDR response: hook in the kernel via PsSetCreateProcessNotifyRoutine, ObRegisterCallbacks, kernel-mode AMSI. Userland unhook doesn’t help against kernel hooks; direct syscalls still trigger the kernel callbacks.

What still works: indirect syscalls (jumping into a legitimate ntdll trampoline), syscall instruction proxying via tools like SysWhispers3, and exception-based unhooking. Custom syscall stubs via SysWhispers2/3 still bypass EDRs that only hook userland (notably Sophos and some Trend Micro versions).

Red-team posture: indirect syscalls + custom unhook + spawn-then-inject pattern. The pattern: spawn a benign process (notepad), unhook its NTDLL, inject your shellcode, execute. Reduces the EDR’s userland visibility.

Blue-team posture: ETW-based hunt for “process spawned with ntdll.dll mapped from non-standard path.” Cobalt Strike’s Beacon Process Hollowing pattern in particular has consistent ETW signatures.

Family 3 — DLL sideloading via signed binaries

Status: still highly effective. The technique: identify a Microsoft-signed binary that loads a DLL with a permissive search order. Drop your malicious DLL with that name in a writable directory; place the signed binary alongside; launch. The signed binary loads your DLL.

Why it works: most EDRs trust Microsoft-signed processes implicitly for in-memory write/read events. The sideloaded DLL inherits that trust.

2024-2025 progress: Microsoft introduced “Smart App Control” (Windows 11 22H2+, Defender) which blocks unsigned DLLs from loading into signed processes. Effective when enabled, but rarely enabled in enterprise.

Active families using this in 2025: APT41 (DLL sideload via Trend Micro signed binary), Lazarus (sideload via Sangfor, signed by genuine cert), Sandworm (sideload via legitimate VPN clients).

Red-team posture: maintain a curated list of vulnerable signed binaries. Hijacklibs.net is the public reference. Test in your customer’s specific EDR + AV environment; outcomes vary.

Blue-team posture: hunt for “Microsoft-signed binary loading DLL from %APPDATA%” or “%TEMP%”. Sysmon EventCode 7 (image loaded) with parent-image filtering. Caveat: high false-positive rate without environmental tuning.

Family 4 — Living-off-trusted-services for C2

Status: most effective, hardest to detect. The technique: instead of beaconing to attacker-controlled C2, use a legitimate cloud service as a relay. Examples:

  • GitHub raw.githubusercontent.com — implant pulls payload from a private gist or raw file. SOC sees traffic to GitHub, not malicious destination.
  • Cloudflare Workers / Pages — workers.dev and pages.dev are routinely allow-listed. Malicious worker code intermediates between implant and operator.
  • Discord webhooks — implant POSTs results to a Discord channel; operator reads channel.
  • Google Sheets / Drive API — implant reads commands from a sheet, writes results back.
  • Slack webhooks — same pattern.

The defensive challenge: you cannot block GitHub, Cloudflare, Discord without breaking legitimate workflows. The detection has to be behavioural — process X never historically talked to GitHub, suddenly is. Plus content inspection on TLS-decrypted traffic, which most enterprises don’t do at scale.

Red-team posture: rotate channels per engagement. Use Cloudflare Workers as the front; back-end traffic from worker to your C2 is invisible to client. Discord webhook for low-throughput beaconing.

Blue-team posture: behaviour-based. Build per-process “normal egress destinations” baselines via your EDR’s network-events feed. Any process suddenly contacting cloud-storage / chat services it has never reached before is investigation-worthy.

What 2024-2025 actually killed

  • RTCore64-based BYOVD — blocklisted, doesn’t load on HVCI-on hosts.
  • Process Hollowing via ZwUnmapViewOfSection on patched Windows 11 builds — kernel-callback detection added.
  • AMSI bypass via patching amsi.dll!AmsiScanBuffer — Defender now detects the patched-bytes pattern reliably.
  • SQL Server xp_cmdshell as C2 — most modern SOCs alert on this; obscurity gone.

What still works in 2026

  • DLL sideloading via under-blocklisted signed binaries.
  • Newly-published vulnerable drivers (LOLDrivers fresh additions).
  • Indirect syscalls via SysWhispers3 against EDRs that don’t have kernel callbacks for the specific syscall.
  • Cloud-service-fronted C2.
  • Browser extension persistence on managed-Chrome environments where extension policy isn’t locked down.

Detection engineering priorities for 2026

  1. Behavioural baselining for outbound destinations per process. The cloud-service-fronted C2 family is the highest-impact threat and the hardest to signature; behaviour beats signature.
  2. Kernel callback coverage audit on your EDR. Ask the vendor: which kernel callbacks do you hook? Compare to the syscall table; document gaps.
  3. HVCI + Smart App Control enablement on every Windows 11 endpoint. Yes, breaks some legacy software. Phase in over a quarter; the security gain is large.
  4. Sysmon configuration depth — most enterprises run Microsoft default Sysmon; SwiftOnSecurity / Olaf-Hartong configs are 10x more useful for detection.
  5. Threat hunting against Living-off-the-Land Binaries (LOLBAS) — track new entries; tune detection.

FAQ

Is the era of “easy EDR bypass” over?

For commodity malware, yes. For motivated red teams and APTs, no. The cost has gone up — what was a 2-hour engineering task is now 2 weeks. Sustained advantage moved to defenders, but the gap is still defeatable.

Should we trust EDR vendor “we caught X% of attacks” claims?

Independent benchmarks (MITRE Engenuity ATT&CK Evaluations) are useful but limited — the test scenarios are public and EDR vendors specifically tune for them. Pair MITRE evals with your own red team or purple team exercises against your specific configuration.

What about EDR-killer tools — RealBlindingEDR, EDRSilencer?

Both are kernel-callback removers. Once running with kernel privileges, they unhook EDR. They only work on EDRs that don’t validate their own kernel-callback presence. Modern Defender for Endpoint, CrowdStrike Falcon, SentinelOne detect tampering attempts and self-restart. Effectiveness against current versions: low and decreasing.

Is Linux EDR bypass easier?

Different. Linux EDR (CrowdStrike Falcon for Linux, Defender for Linux, eBPF-based) is younger and less mature than Windows. Bypassing it requires kernel-mode privileges; once you have them, eBPF-based detection is removable. The threshold to gain root on a hardened modern Linux host is high — but once over, the EDR layer falls quickly.

Should I deploy EDR + EDR (two products)?

Generally no — they conflict, cancel each other’s hooks, and leave gaps. Better: one well-configured EDR + thorough log shipping to SIEM + continuous threat hunting. Defence-in-depth at the data layer, not the agent layer.


⚖️ Legal: EDR-bypass research on systems you do not own / have not been authorised to test is unauthorised access (IT Act §66). Engagements via signed ROE/SOW only. For commercial red team work, RingSafe runs scoped EDR-evasion exercises under formal authorisation — see /services/.

Worried about your exposure?

Get a free attack-surface review

We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.

Book exposure review Replies in 4 working hrs · India-only · Senior consultants