All articles
DEEP DIVE · 10 min read

Modern EDR Evasion: What Defenders Should Know

EDR evasion moved past userland API hooking years ago. If your detection strategy still relies on hooking ntdll, you're behind. Here's the current landscape, from a defender's seat.

The techniques in play

Direct and indirect syscalls, hardware breakpoint hooking, manual mapping, callstack spoofing, module stomping. Tooling like Cobalt Strike, Mythic and Havoc ships these out of the box.

What still catches them

Kernel callbacks, ETW-TI, AMSI for script content, image-load events, and behavior chains — not single API calls.

  • PsSetCreateProcessNotifyRoutineEx callbacks
  • ETW Threat Intelligence provider events
  • AMSI for .NET / PowerShell / VBA
  • Sequence-based detections, not single events

Defender's playbook

Don't chase every IOC. Invest in detections that observe the OS from outside the process: kernel telemetry, network egress, identity behavior.

Tools mentioned

SysmonETWVelociraptorDefender for EndpointElasticCrowdStrike
⟩ takeaway

EDR evasion is a moving target inside the process. Defenders win by detecting outside it — kernel, network, identity.

⟩ keep reading

Related articles