Member-only story

Exploring Antivirus and EDR evasion techniques step-by-step. Part 1

bob van der staak
InfoSec Write-ups
Published in
22 min readOct 29, 2023

My learnings on how the different steps in EDR and Antivirus techniques are used in the field.

Introduction

In this series, I will explore the techniques used in the field to bypass Antivirus and EDR systems. I am new in this field and the best way to start is to read, implement, and understand the subject, instead of immediately going to the advanced techniques. I like to start at the beginning and take you with me in exploring the techniques currently used in the field. Therefore we will start with Windows (native) api’s. Specifically this blog will go into depth on 3 items:

  • Step 1: Introduction on system calls, where are they used for, What is User — and kernel mode?
  • Step 2: High Level APIs -> How shellcode can be executed by making use of Windows APIs
  • Step 3: Medium Level APIs -> How shellcode can be executed by making use of Windows native APIs.

Note the following items will be detected by almost all EDR’s. This series gives hopefully a better insight into the basics and the foundation of Windows. In the next chapters, we will dig deeper and deeper into the subject. In the end, I see it as a possibility to share my experience and “research” with the community and create some useful documentation for myself that I can reference in the future.

What is a System call?

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by bob van der staak

An enthousiastic ethical hacker and security researcher

No responses yet

Write a response