Antivirus EDR evasion bypass for pentesters red teamers

Greathelm is a modular Windows security service focused on process inspection, PowerShell telemetry, and automated response enforcement. It’s built entirely in C++ and designed for minimal dependencies, direct API usage.

iMonitor Ice Mirror Endpoint Behavior Analysis System he world most powerful System Activity Monitor Engine

Repository to publish your evasion techniques and contribute to the project

🚀 Suspend EDR and antivirus processes easily with EDR-Freeze, a user-mode tool that bypasses complex driver vulnerabilities on Windows.

Collect Windows telemetry for Maldev

🔄 Redirect EDR's working folder using a mini filter to enhance your control and undermine detection capabilities effectively.

A tool for monitoring system events and sending relevant information to the EDR server for further analysis and response (POC).

Windows Kernel Based EDR Agent in VateX Evidentia EDR

A generic detection engine (.lib) for Windows which uses downloadable custom rulesets to detect & block processes. Can be used in anti-virus, anti-cheat, anti-crypto mining, etc.

Misery Loader to bypass modern EDR solutions

This script is used to bypass DLL Hooking using a fresh mapped copy of ntdll file, patch the ETW and trigger a shellcode with process hollowing

PoC exploit for the vulnerable WatchDog Anti-Malware driver (amsdk.sys) – weaponized to kill protected EDR/AV processes via BYOVD.

Yet another C++ Cobalt Strike beacon dropper with Compile-Time API hashing and custom indirect syscalls execution

kernel callback removal (Bypassing EDR Detections)

Security product hook detection

The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能， 而不用关心底层驱动的开发、维护和兼容性问题，让其可以专注于业务开发

Hades HIDS/HIPS for Windows

Evasive shellcode loader for bypassing event-based injection detection (PoC)

Enumerate and disable common sources of telemetry used by AV/EDR.