Tips and Tricks

  • EDRs love scanning RWX memory, so use: RW -> RX

  • Try to use apis closer to the kernel so that products have less telemetry over your apis and you have more api mixups to use. Examples are: 

CreateRemoteThread
RtlCreateUserThread
QueueUserAPC: ResumeThread or NtResumeThread or NtAlertResumeThread
NtQueueApcThread: ResumeThread or NtResumeThread or NtAlertResumeThread

  • Avoid calling functions against common parameters. For example, you can do something like this:

    • address = VirtualAlloc(1000)

    • virtualprotect(addr+50)

    • memcpy(address+100)

    • createthread(address + 200)

  • Try include obscure flags in OpenProcess calls

  • Try to duplicate existing handles on the machine instead of creating new ones with NtQuerySystemInformation

  • Inject from noisy contexts like from SYSTEM or csrss.exe

  • Encrypt/change your permissions of your payload and modules if not in use

PreviousTrusted InstallerNextBasics

Last updated