Member-only story
Exploring Antivirus and EDR evasion techniques step-by-step. Part 1
My learnings on how the different steps in EDR and Antivirus techniques are used in the field.
Introduction
In this series, I will explore the techniques used in the field to bypass Antivirus and EDR systems. I am new in this field and the best way to start is to read, implement, and understand the subject, instead of immediately going to the advanced techniques. I like to start at the beginning and take you with me in exploring the techniques currently used in the field. Therefore we will start with Windows (native) api’s. Specifically this blog will go into depth on 3 items:
- Step 1: Introduction on system calls, where are they used for, What is User — and kernel mode?
- Step 2: High Level APIs -> How shellcode can be executed by making use of Windows APIs
- Step 3: Medium Level APIs -> How shellcode can be executed by making use of Windows native APIs.
Note the following items will be detected by almost all EDR’s. This series gives hopefully a better insight into the basics and the foundation of Windows. In the next chapters, we will dig deeper and deeper into the subject. In the end, I see it as a possibility to share my experience and “research” with the community and create some useful documentation for myself that I can reference in the future.