# Tips and Tricks

* EDRs love scanning RWX memory, so use: RW -> RX 
* Try to use apis closer to the kernel so that products have less telemetry over your apis and you have more api mixups to use. Examples are: 

```
CreateRemoteThread
RtlCreateUserThread
QueueUserAPC: ResumeThread or NtResumeThread or NtAlertResumeThread
NtQueueApcThread: ResumeThread or NtResumeThread or NtAlertResumeThread
```

* Avoid calling functions against common parameters. For example, you can do something like this: 
  * **address = VirtualAlloc(1000)**
  * **virtualprotect(addr+50)**
  * **memcpy(address+100)**
  * **createthread(address + 200)**
* Try include obscure flags in OpenProcess calls
* Try to duplicate existing handles on the machine instead of creating new ones with NtQuerySystemInformation
* Inject from noisy contexts like from SYSTEM or csrss.exe 
* Encrypt/change your permissions of your payload and modules if not in use