DEEP DIVE · 10 min read
Modern EDR Evasion: What Defenders Should Know
EDR evasion moved past userland API hooking years ago. If your detection strategy still relies on hooking ntdll, you're behind. Here's the current landscape, from a defender's seat.
The techniques in play
Direct and indirect syscalls, hardware breakpoint hooking, manual mapping, callstack spoofing, module stomping. Tooling like Cobalt Strike, Mythic and Havoc ships these out of the box.
What still catches them
Kernel callbacks, ETW-TI, AMSI for script content, image-load events, and behavior chains — not single API calls.
- PsSetCreateProcessNotifyRoutineEx callbacks
- ETW Threat Intelligence provider events
- AMSI for .NET / PowerShell / VBA
- Sequence-based detections, not single events
Defender's playbook
Don't chase every IOC. Invest in detections that observe the OS from outside the process: kernel telemetry, network egress, identity behavior.
Tools mentioned
SysmonETWVelociraptorDefender for EndpointElasticCrowdStrike
⟩ takeaway
EDR evasion is a moving target inside the process. Defenders win by detecting outside it — kernel, network, identity.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.