16 Resources
C/C++ edr Libraries
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
TiEtwAgent - PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases
Evasive shellcode loader for bypassing event-based injection detection (PoC)
DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection detection, without necessarily suppressing event collection. The project
eBPF-based EDR for Linux
ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo
Shellcode loader written in rust. Strives to evade modern EDR solutions.
Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads
系统监控开发套件(sysmon、promon、edr、终端安全、主机安全、零信任、上网行为管理)
Table of Contents 简介 ✨ 具备如下核心功能 📦 适用于如下的产品 🔨 快速入门 使用授权 加入我们 简介 iMonitorSDK是一款为终端、云端提供系统行为监控的开发套件。帮助安全、管理、审计等行业应用可以快速实现必要功能,而不用关心底层驱动的开发、维护和兼容性问题,让其可
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.
Evasive shellcode loader for bypassing event-based injection detection (PoC)
(cleaned up version here: https://github.com/xinbailu/DripLoader-Ops) DripLoader (PoC) Evasive shellcode loader for bypassing event-based injection de
x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks
ASM HalosGate Direct System Caller Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and display
Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR
Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
TiEtwAgent - ETW-based process injection detection This project was created to research, build and test different memory injection detection use cases
Windows user-land hooks manipulation tool.
MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)
Security product hook detection
HookDump EDR function hook dumping Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/ Building source In o
Project to check which Nt/Zw functions your local EDR is hooking
Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS