As Endpoint Detection and Response (EDR) systems become increasingly sophisticated, malware developers are continuously evolving their strategies to evade detection. This talk explores modern malware evasion techniques aimed at circumventing EDR. Focusing on methods such as direct syscall invocation, avoiding EDR-preloaded modules, dynamic resolution of NT APIs, in-memory mapping of dlls, and stealthy process injection, attendees will gain a comprehensive understanding of how these tactics work and how to recognize them. Suitable for red team researchers and cybersecurity professionals, this session will get attendees up to speed with modern malware techniques.

Outline:

1. Introduction

- Overview of EDR Systems
- Importance of Evasion Techniques

2. Bypassing EDR Hooks

- Direct Syscall Invocation
- Basic implementation strategies
- Avoiding EDR-Preloaded Modules

3. Advanced API Handling

- Dynamic Resolution of NT APIs
- Example methods for dynamic API loading
- In-Memory Mapping of ntdll

4. Stealthy Process Injection

- Overview of Injection Techniques
- Common methods and their detection vectors
- Evasion-Focused Injection Methods

5. Integrating Evasion Techniques

- Synergizing Multiple Tactics

6. Real-World Examples

- Brief case studies of malware utilizing these methods