Tips and Tricks

EDRs love scanning RWX memory, so use: RW -> RX
Try to use apis closer to the kernel so that products have less telemetry over your apis and you have more api mixups to use. Examples are:

CreateRemoteThread
RtlCreateUserThread
QueueUserAPC: ResumeThread or NtResumeThread or NtAlertResumeThread
NtQueueApcThread: ResumeThread or NtResumeThread or NtAlertResumeThread

Avoid calling functions against common parameters. For example, you can do something like this:
- address = VirtualAlloc(1000)
- virtualprotect(addr+50)
- memcpy(address+100)
- createthread(address + 200)
Try include obscure flags in OpenProcess calls
Try to duplicate existing handles on the machine instead of creating new ones with NtQuerySystemInformation
Inject from noisy contexts like from SYSTEM or csrss.exe
Encrypt/change your permissions of your payload and modules if not in use

PreviousTrusted Installer NextBasics

Last updated 4 years ago