EDR Evasion Engine
Windows EDR and antivirus evasion through payload manipulation and runtime unhooking.
What It Does
Generates AMSI bypass scripts, ETW patching payloads, process injection templates, NTDLL unhooking routines, and API hashing implementations. All output is delivered as text scripts (PowerShell, Batch, VBScript) for use via LOLBAS execution on target Windows hosts. Designed to evade runtime detection during post-exploitation operations.
Scripts
| Script | Description |
|---|---|
amsi_bypass | AMSI bypass generation — memory patching, COM hijacking, registry manipulation |
etw_patch | ETW (Event Tracing for Windows) patching — EtwEventWrite suppression |
process_injection | Process injection templates — CreateRemoteThread, process hollowing, APC injection |
ntdll_unhook | NTDLL unhooking — fresh copy reload from known-good DLL on disk |
api_hashing | API hashing — resolve Windows API calls by hash to avoid static import table detection |
When to Use
Use on Windows targets before running in-memory payloads, credential harvesting, or persistence operations. Run amsi_bypass and etw_patch first to suppress detection, then use ntdll_unhook and api_hashing for payload delivery.
Usage
RedTeamScript(skill="edr-evasion-engine", script="amsi_bypass", args="--technique memory-patch --output amsi.ps1")