AppLocker-Based EDR Neutralization
PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
A Dropper POC with a focus on aiding in EDR evasion, NTDLL Unhooking followed by loading ntdll in-memory, which is present as shellcode (using pe2shc by @hasherezade). Payload encryption via SystemFucntion033 NtApi and No new thread via Fiber
Kernel-based Process Monitoring on Linux Endpoints for File System, TCP and UDP Networking Events and optionally DNS, HTTP and SYSLOG Application Messages via eBPF Subsystem
Transparently call NTAPI via Halo's Gate with indirect syscalls.
PoC LKM to force run cleanup_module() on other LKMs
EDR-mergency is a proof-of-concept Endpoint Detection and Response (EDR) agent for Windows, designed to demonstrate real-time user-mode hooking, monitoring, blocking and alert logging.
eBPF-based runtime agent for Endpoint Detection and Response for Linux based operating systems.
EDR/AV killer — disables security services and terminates protected processes via kernel driver
WFP Endpoint Protection Traffic Blocker
Extracting clean syscall numbers from a suspended process before injecting shellcode into it using indirect syscalls.
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
Lightweight Linux EDR prototype using eBPF and SQLite to detect suspicious system behaviors through kernel event correlation.
Lightweight native Windows memory scanner for AV/EDR platforms, detecting suspicious mapped images and manual DLL injection techniques by IAT thunk
Add a description, image, and links to the edr topic page so that developers can more easily learn about it.
To associate your repository with the edr topic, visit your repo's landing page and select "manage topics."