Open Source Security Research

Defense
Evasion
Techniques

Advanced methods to bypass EDR and XDR systems. Syscall manipulation, code obfuscation, memory evasion — a comprehensive reference for red teamers, malware researchers, and security engineers.

View on GitHub → Browse Techniques
19+
Evasion Techniques
9
Research Articles
13+
Code Repos
5
PDF Writeups
bash — usman@offensive-panda:~
$ whoami
Usman Sikander // a.k.a Offensive-Panda · Red Team Engineer · Malware Researcher
$ cat mission.txt
Identify weaknesses · Bypass EDR/XDR · Validate security postures · MITRE ATT&CK aligned
$ ls ./techniques | wc -l
19 techniques indexed
$ _
Coverage Map

Evasion Techniques Heatmap

19 techniques
01Direct & Indirect Syscalls
02API Hashing
03API Imports Obfuscation
04Payload Encryption
05Egg Hunting
06Privilege Escalation BYOVD
07COR_PROFILER UAC Bypass
08Random Instructions & Prototypes
09Mokingjay
10Forking Technique Memory Dumps
11API Unhooking
12ETW Patching
13PEB Lookup
14Disable and Modify Tools
15Lagos Island (Reflective Loading)
16RWX Memory Block Hunt
17BYOVD Techniques
18Native Dump with Direct Syscalls
19Lsass Dumping Tactics
Research

Articles

9 articles
Shadows of LSASS
LSASSEDR
Shadows of LSASS Dumping: Evasion Techniques and the Ongoing Struggle of EDR Solutions
Explores why LSASS is a critical target in Windows security, categorizing tools and techniques used to dump LSASS memory while evading detection.
Read on Medium
BYOVD
BYOVDKernel
BYOVD A Kernel Attack: Stealthy Threat to Endpoint Security
Dissects how BYOVD attacks blind, terminate, and manipulate EDR solutions — obtaining NT Authority context and removing EDR callbacks.
Read on Medium
Arsenal 2.0
Static Bypass
Arsenal 2.0: Elevating Malware Stealth Tactics to Bypass Static Detection
Advanced techniques for malware to evade static detection by EDR/XDR — an extension of the original Arsenal post diving deeper into new stealth approaches.
Read on Medium
PEB Walk
PEB WalkIAT
PEB Walk: Avoid API Inspection in IAT and Bypass Static AV/EDR Detection
4-stage arsenal: hiding strings, obfuscating API imports, and resolving APIs dynamically via PEB walk to evade static analysis.
Read on Medium
Arsenal
AV/EDR/XDR
Arsenal: Bypass EDR's/XDR's and Make Malware Analysis Harder
Multiple techniques to bypass modern AV/EDR/XDR solutions, from a red team practitioner's perspective exploring new bypass methods.
Read on Medium
On-Disk
On-DiskSyscalls
On-Disk Detection: Bypass AV's/EDR's Using Syscalls with Legacy & NOP Instructions
Bypasses both static and dynamic AV/EDR detection, focusing on on-disk binary detection when using direct syscalls.
Read on Medium
Post Exploitation
UAC BypassDLL Hijack
EASE POST-EXPLOITATION: Elevated Shell via DLL Hijacking and Mock Directories
DLL Hijacking and Mock directories technique to bypass Windows UAC and obtain a high-privilege reverse shell.
Read on Medium
Direct Syscalls
SyscallsKernel Mode
AV/EDR Evasion Using Direct System Calls (User-Mode vs Kernel-Mode)
How hooking is used by AV/EDRs to intercept function calls — and how direct syscalls bypass this interception at the kernel boundary.
Read on Medium
Mimikatz
InjectionMimikatz
Bypass "Mimikatz" Using the Process Injection Technique
EDR and AV solutions commonly flag Mimikatz signatures. Covers process injection as a bypass — hiding execution inside a legitimate process.
Read on Medium
Tooling

Code Implementations

13 repos
D3MPSEC
LSASSMemory Dump
D3MPSEC
Memory dumping tool extracting Lsass process dumps via direct syscalls, randomized procedures, and prototype name obfuscation.
View on GitHub
Dirty Vanity
SyscallsEgg Hunt
Dirty Vanity (DV_NEW)
Multi-technique: direct syscalls bypass user-mode EDR hooking; egg hunt avoids static detection of syscall stubs via random DB bytes.
View on GitHub
Honeypots
Threat IntelDefense
Honeypots for Threat Intelligence
Runs as a service monitoring Sysmon event logs, acting on attacker activity and uploading dropped malware for analysis.
View on GitHub
Persistence
C#Anti-Sandbox
Persistence and Anti-Sandbox
C# code with latest persistence techniques and 4 anti-VM/anti-sandbox methods, plus PowerShell and Task Scheduler persistence.
View on GitHub
Static Analysis Bypass
On-DiskSyscalls
Bypass Malware Static Analysis
Direct syscall injection to bypass AV/EDR on-disk binary detection — addresses MDE detection during the static analysis phase.
View on GitHub
DLL Hijacking
UAC BypassDLL Hijack
C2 Elevated Shell via DLL Hijacking
DLL Hijacking combined with Mock directories to bypass UAC and obtain a high-privilege reverse shell.
View on GitHub
RWX Memory
InjectionRWX Hunt
RWX Memory Hunt and Injection
Abuses Windows fork API with OneDrive.exe to inject shellcode without allocating new RWX regions — no VirtualProtect or VirtualAllocEx.
View on GitHub
WPM Magic
ShellcodeEntry Point
WPM Magic and Injection
Uses AddressOfEntryPoint (RX region) with WriteProcessMemory to write shellcode — avoids VirtualAlloc and VirtualProtect entirely.
View on GitHub
PEB Walk
API ObfuscationPEB
PEB Walk and API Obfuscation
Resolves API calls dynamically via PEB walk and obfuscates all injection calls — bypasses AV/EDR static analysis.
View on GitHub
.NET Profiler
UAC.NET Profiler
.NET Profiler DLL Loading UAC Bypass
Abuses .NET profiler DLL loading to make a legitimate app load a malicious DLL via environment variables and Task Scheduler (MMC).
View on GitHub
BYOVD
KernelCVE-2019-16098
BYOVD for Privilege Escalation
Exploits MSI Afterburner driver (RTCore64.sys) for arbitrary memory read/write — no hardcoded Ntoskrnl.exe base addresses required.
View on GitHub
LsassReflectDumping
ForkingLSASS
LsassReflectDumping
Leverages RtlCreateProcessReflection to clone lsass.exe, then uses MINIDUMP_CALLBACK_INFORMATION to dump the cloned process.
View on GitHub
ShadowDumper
LSASSRed Team
ShadowDumper
Powerful flexible LSASS memory dumping tool using multiple advanced techniques for penetration testing and red team engagements.
View on GitHub
In Action

Demonstrations

13 demos
Bypass Falcon
CrowdStrikeLSASS Fork
Falcon Doesn't Watch Cloned/Forked LSASS Versions
A forked LSASS clone with inherited memory access dumps the process without triggering CrowdStrike Falcon.
View Demo
Bypass Falcon 2
FalconSystem Informer
Bypass CrowdStrike Falcon via System Informer (LSASS Dumping)
Open-source System Informer utility dumps LSASS memory without triggering CrowdStrike Falcon alerts.
View Demo
Bypass Defender
DefenderWindows 11
Bypassing Defender's LSASS Dump Detection Using Its Own Directory
Writing the dump file inside Defender's own directory causes it to skip scanning the file on Windows 11.
View Demo
Dirty Vanity
Dirty VanitySyscalls
Dirty Vanity Implementation Using Direct Syscalls
Direct syscalls bypass user-mode EDR hooking; egg hunt places random DB bytes in stubs to avoid static detection.
View Demo
Mockingjay
MockingjayRWX
Mockingjay Technique to Avoid RWX Region Detection
Uses vulnerable DLLs to bypass security mechanisms monitoring RWX memory allocations without new allocations.
View Demo
ETW Patching
ETW PatchingUnhooking
Combining Unhooking and ETW Patching to Dump LSASS
Integrates API unhooking with ETW patching to effectively dump LSASS process memory while evading detection.
View Demo
Syscalls LSASS
SyscallsOffline Dump
Direct Syscalls to Dump LSASS.exe and Offline Dumping
Dumps LSASS via direct syscalls to bypass EDR API hooking and traditional security mechanisms, with offline analysis.
View Demo
Remote Template
Initial AccessAPT
Remote Template Injection
Full attack cycle via remote template injection for initial access — functional on modern Windows, used in real APT campaigns.
View Demo
MOTW
MOTW BypassMacro
Mark-of-the-Web Bypass for Red Teams
Bypasses MOTW security restrictions including macro-blocking introduced in recent Windows builds.
View Demo
Outflank
DumpertInjection
Memory Dump via Outflank Dumpert and Process Injection
Combines Outflank Dumpert for lsass.exe memory dumping with process injection techniques for maximum stealth.
View Demo
EDR Terminator
BYOVDDefender Kill
EDR Terminator: Disable Windows Defender via BYOVD
Terminates Windows Defender using BYOVD — targeting and manipulating EDR processes and services.
View Demo
EDR Callbacks
CallbacksBYOVD
Remove EDR Callbacks Using Vulnerable Driver
BYOVD removes Microsoft Defender PsSetCreateProcessNotifyRoutine callbacks — disabling process monitoring and telemetry.
View Demo
ShadowDumper
ShadowDumperLSASS
Shadow Dumper: Advanced LSASS Memory Dump Tool Demo
Flexible multi-technique LSASS dumping for red teams where standard tools are blocked by endpoint security.
View Demo
Community Resources

PDF Writeups

5 PDFs
BYOVD
Kernel Attack Research
PDF
PEB Walk
API Obfuscation Technique
PDF
EDR Bypass
Detection Evasion Guide
PDF
Defense Evasion
MITRE ATT&CK T1562
PDF
Shadows of LSASS Dumping & EDR Struggle
Credential Access Research
PDF
Sources

References

01attack.mitre.org — MITRE ATT&CK Enterprise Matrix 02linkedin.com/in/usman-sikander13 03github.com/deepinstinct/Dirty-Vanity 04securityjoes.com — Process Mockingjay: Echoing RWX in Userland to Achieve Code Execution 05github.com/outflanknl/Dumpert 06cytomate.net
⚠️
Disclaimer
The content, techniques, and tools in this repository are intended solely for educational and research purposes within the cybersecurity community. The author explicitly disclaims any responsibility for misuse or unlawful use. Any actions taken based on this information are done so entirely at the user's own risk.