Skip to content

The Evolution of EDR Bypasses: A Historical Timeline

Castells
Ibai Castells

Hive Member

Close-up of a mechanical keyboard with red-lit keys, symbolizing offensive cybersecurity activity.

The relationship between Endpoint Detection and Response (EDR) solutions and bypass techniques represents one of cybersecurity’s most dynamic battlegrounds. They are a representation of Cybersecurity as a whole as they align with the cat-and-mouse analogy that we often use to describe the industry.

As EDR systems evolved from simple signature-based detection to sophisticated behavioral analysis engines, red teams and threat actors have continuously developed innovative methods to evade detection. This timeline chronicles the major breakthroughs in EDR bypass techniques, documenting the technical evolution that has shaped modern offensive security.

A lot has changed, lots of ideas have been weaponised, and this post aims to summarise them and become a reference for offensive security specialists.

The Foundation Years (2010-2015)

Early EDR Limitations and Basic Bypasses

The first generation of EDR solutions relied heavily on signature-based detection and basic behavioral heuristics. During this period, bypasses were relatively straightforward, often involving simple obfuscation techniques or process hollowing methods that could evade detection.

2012-2013: Process Hollowing and DLL Injection

The early EDR bypass landscape was dominated by traditional process injection techniques. Security researchers began systematically exploring methods like:

  • Classic DLL injection using CreateRemoteThread
  • Process hollowing (RunPE) techniques
  • Manual DLL loading to avoid Import Address Table (IAT) hooks

These techniques worked because early EDR solutions primarily monitored high-level Windows APIs without deep kernel-level visibility.

2014: Reflective DLL Loading

Stephen Fewer’s Reflective DLL Loading technique became a cornerstone of EDR evasion. By manually loading DLLs without using the Windows loader, attackers could bypass many hooking mechanisms that monitored standard DLL loading procedures. This research is still relevant today and is heavily used by many well known C2 frameworks. There has however been a shift towards position independent code (PIC) recently to evade behavioral detection for reflective DLL loading.

The Hooking Wars Begin (2015-2017)

Understanding EDR Detection Mechanisms

As EDR solutions matured, they began implementing more sophisticated hooking mechanisms to monitor API calls. This period marked the beginning of what we could call the “hooking wars” between EDR vendors and bypass developers.

2015-2016: API Hooking Awareness

Security researchers began systematically analysing how EDR solutions implemented their monitoring capabilities:

  • Userland API Hooks: EDR solutions began hooking critical Windows APIs like NtCreateFile, NtCreateProcess, and NtAllocateVirtualMemory
  • Inline Hooking: Many EDR products used inline hooking techniques, patching the first few bytes of API functions to redirect execution to their monitoring code
  • IAT Hooking: Import Address Table modification became a common EDR technique

2016: The Rise of Unhooking Techniques

The security community began developing systematic approaches to detect and remove EDR hooks:

  • Hook Detection: Comparing in-memory API functions with their disk-based versions
  • API Unhooking: Restoring original API bytes from clean copies loaded from disk
  • Manual Mapping: Loading clean copies of system DLLs to access unhooked APIs

The Direct Syscall Revolution (2017-2019)

2017: Introduction of Direct Syscalls

The introduction of direct syscall techniques marked a paradigm shift in EDR bypass methodology. Instead of calling high-level Windows APIs that EDR solutions monitored, attackers began leveraging the underlying system calls directly.

Key Breakthrough: SysWhispers by Jackson T (@Jackson_T)

The SysWhispers project, released in 2019, democratised direct syscall usage by providing:

  • Automated generation of syscall stubs
  • Support for multiple Windows versions
  • Easy integration into offensive tooling

Technical Innovation:

; Example direct syscall stub
NtAllocateVirtualMemory:
    mov r10, rcx
    mov eax, 18h        ; e.g Syscall number for NtAllocateVirtualMemory
    syscall
    ret

This technique bypassed userland API hooks entirely by transitioning directly to kernel mode, making it extremely difficult for EDR solutions to monitor without kernel-level components.

2018-2019: Syscall Evolution

  • Hell’s Gate: Am0nsec and Smelly__vx developed techniques to dynamically resolve syscall numbers at runtime
  • Halos Gate: Reenz0h extended Hell’s Gate to handle hooked syscalls by searching for clean syscall numbers in nearby functions
  • Tartarus’ Gate: Paul Laîné improved upon previous techniques with better reliability and evasion capabilities.

The Indirect Syscall Era (2019-2021)

2019-2020: Indirect Syscalls and Call Stack Awareness

As EDR solutions began monitoring direct syscalls, researchers developed indirect syscall techniques that maintained more natural call stacks.

Indirect Syscalls Breakthrough: Instead of executing syscalls directly from attacker-controlled code, indirect syscalls use existing legitimate code paths:

  • ROP-based Syscalls: Using Return-Oriented Programming to execute syscalls from legitimate modules
  • JOP-based Syscalls: Jump-Oriented Programming variants for syscall execution
  • Module Stomping: Overwriting legitimate modules’ code sections with syscall stubs

2020: Call Stack Spoofing Techniques Researchers recognised that EDR solutions were beginning to analyse call stacks to detect suspicious activity:

  • Return Address Spoofing: Modifying return addresses to appear legitimate
  • Stack Pivoting: Changing the stack pointer to use legitimate call stacks
  • Frame Pointer Manipulation: Altering frame pointers to create convincing call stack traces

Key Tools and Research:

  • SysWhispers2: Extended the original SysWhispers with indirect syscall capabilities
  • Ekko: C5pider’s sleep obfuscation technique using indirect syscalls
  • ThreadStackSpoofer: Mgeeky’s implementation of call stack spoofing

Advanced Evasion Techniques (2020-2022)

2020-2021: Memory Protection and Obfuscation

Sleeping Techniques:

  • Ekko Sleep Obfuscation: Encrypting beacon memory during sleep periods
  • Zilean: Advanced sleep obfuscation with multiple encryption layers
  • Gargoyle: Using timers and APCs for stealthy execution

Memory Evasion:

  • Module Overloading: Loading malicious code over legitimate modules
  • Phantom DLL Loading: Loading DLLs without registering them in PEB
  • Transacted Section Techniques: Using NTFS transactions for stealthy memory allocation

2021: Hardware-Based Evasions

Hardware Breakpoint Evasion:

  • Hardware Breakpoint Detection: Identifying and clearing hardware breakpoints set by EDR
  • Debug Register Manipulation: Directly modifying debug registers to evade monitoring

Performance Counter Abuse:

  • PMU-based Detection: Using Performance Monitoring Units to detect EDR presence
  • Timing-based Evasions: Exploiting timing differences in hooked vs. unhooked APIs

The Modern Era: VEH and Advanced Techniques (2022-Present)

2022: Vectored Exception Handling (VEH) Techniques

VEH-based Syscalls: Researchers began using Vectored Exception Handlers to implement stealthy syscall mechanisms:

  • Exception-based Control Flow: Using controlled exceptions to redirect execution
  • VEH Hijacking: Hijacking existing VEH chains for stealthy execution
  • Hardware Exception Abuse: Using hardware exceptions like single-step debugging

Key Innovation: FreshyCalls ElephantSe4l’s FreshyCalls technique used syscall trampolines and VEH to create highly evasive syscall implementations.

 

2022-2023: Kernel Callback Techniques

PsSetCreateProcessNotifyRoutine Bypasses:

  • Callback Removal: Removing EDR-registered process creation callbacks
  • Callback Patching: Modifying callback functions to bypass monitoring
  • DKOM Techniques: Direct Kernel Object Manipulation to evade detection

ETW (Event Tracing for Windows) Bypasses:

  • ETW Provider Patching: Disabling ETW providers used by EDR solutions
  • ETW Session Hijacking: Taking control of ETW sessions
  • Trace Tampering: Modifying ETW traces in real-time

 

2023: Advanced Memory Manipulation

CRT Hooking Bypasses:

  • CRT Function Replacement: Replacing C Runtime functions to bypass monitoring
  • Static vs. Dynamic CRT: Exploiting differences in CRT linking methods

Advanced Process Injection:

  • Process Doppelgänging: Using NTFS transactions for stealthy process creation
  • Process Herpaderping: Overwriting process images after loading
  • Ghost Writing: Writing to process memory through file mappings

Current State and Emerging Techniques (2024-Present)

2024: AI and Machine Learning Evasions

Behavioral Mimicry:

The emergence of artificial intelligence in cybersecurity represents a significant shift in EDR bypass methodology since direct syscalls. Unlike traditional static obfuscation, AI-driven evasion techniques could create malware that achieves behavioral authenticity, generating execution patterns that appear genuinely benign to both automated systems and human analysts.

Machine learning-based behavioral cloning could allow attackers to systematically study and replicate legitimate application patterns, creating highly targeted mimicry that can fool EDR systems trained on specific application profiles. More concerning are adaptive evasion systems that learn from failed detection attempts, continuously evolving their strategies in real-time. This creates a feedback loop where each detection attempt potentially teaches the evasion system how to better avoid future detection. TrustedSec’s research on User Behaviour Analytics from 2022 demonstrates that this is an area of interest now that the technology is at a point where systems could leverage this concept.

Notable Tools and Frameworks

Historical Tools Timeline

2015-2017: Foundation Tools

  • PowerShell Empire: Early C2 framework with EDR evasion capabilities
  • Cobalt Strike: Commercial C2 platform that drove much innovation
  • Metasploit: Open-source framework with evolving evasion modules

2018-2020: Syscall Era Tools

  • SysWhispers: Direct syscall generation tool
  • Hell’s Gate: Dynamic syscall resolution
  • Halos Gate: Enhanced syscall resolution with hook evasion

2021-2023: Advanced Evasion Tools

  • SysWhispers2: Indirect syscall implementation
  • Ekko: Sleep obfuscation with syscalls
  • ThreadStackSpoofer: Call stack spoofing implementation
  • FreshyCalls: VEH-based syscall implementation

2024-Present: Modern Frameworks

  • SysWhispers3: Latest evolution with enhanced evasion
  • Nighthawk: Advanced C2 with multiple evasion techniques
  • Brute Ratel: Modern C2 framework with built-in EDR evasion
  • Open Source C2: Adaptix and Havoc pushing commercial C2 framework innovation

Key Techniques

Direct Syscalls

Direct syscalls bypass userland API hooks by calling kernel services directly. The technique involves:

  1. Resolving syscall numbers for target APIs
  2. Setting up processor registers according to calling convention
  3. Executing the syscall instruction to transition to kernel mode

Indirect Syscalls

Indirect syscalls maintain natural call stacks by executing syscalls from legitimate code locations:

  1. Finding gadgets in legitimate modules that end with syscall; ret
  2. Setting up the stack to return to these gadgets
  3. Jumping to the gadgets instead of executing syscalls directly

Call Stack Spoofing

Call stack spoofing creates convincing call stack traces by:

  1. Analyzing legitimate call stack patterns
  2. Manipulating return addresses to match expected patterns
  3. Using ROP/JOP chains to maintain stack consistency

VEH Techniques

Vectored Exception Handling techniques use Windows’ exception handling mechanism:

  1. Registering custom exception handlers
  2. Triggering controlled exceptions to redirect execution
  3. Using hardware exceptions like single-step debugging for stealth

The Arms Race: EDR Response and Counter-Evolution

EDR Adaptations

Kernel-Level Monitoring: Modern EDR solutions have responded to userland bypasses by implementing kernel-level monitoring through:

  • Kernel Callbacks: Process, thread, and image load notifications
  • Filter Drivers: File system and registry monitoring
  • ETW Integration: Comprehensive event tracing

Behavioral Analysis:

  • Machine Learning Models: Detecting anomalous behavior patterns
  • Call Stack Analysis: Identifying suspicious execution flows
  • Memory Pattern Recognition: Detecting known attack signatures in memory

Hardware Integration:

  • Intel CET Support: Leveraging Control-flow Enforcement Technology
  • Hardware Breakpoints: Using debug registers for monitoring
  • Performance Counters: Detecting evasion through timing analysis

Counter-Counter Measures

The offensive security community has responded to EDR improvements with:

  • Kernel-Level Evasions: Direct manipulation of kernel structures
  • Hardware-Based Bypasses: Exploiting processor features for evasion
  • Supply Chain Attacks: Using legitimate signed binaries
  • Living-off-the-Land: Abusing legitimate system tools

Challenges and Considerations

Ethical Implications: The advancement of EDR bypass techniques raises important questions about:

  • Responsible disclosure practices
  • The balance between red team capabilities and actual threat actor tools
  • The potential for abuse by malicious actors

Detection vs. Evasion Balance: The ongoing arms race between detection and evasion techniques continues to push both offensive and defensive capabilities forward, ultimately improving overall cybersecurity posture through adversarial testing.

Conclusion

The history of EDR bypasses represents a fascinating case study in adversarial cybersecurity research. From simple API unhooking to sophisticated hardware-based evasions, each breakthrough has pushed both attackers and defenders to develop more advanced techniques. Understanding this evolution is crucial for security professionals on both sides of the fence, as it provides insight into the fundamental challenges of endpoint security and the creative solutions that emerge from adversarial pressure.

The timeline shows clear patterns: as EDR solutions implement new detection mechanisms, the offensive security community responds with innovative bypass techniques. This cycle of improvement benefits the entire cybersecurity ecosystem by identifying weaknesses and driving innovation in defensive technologies.

As we look to the future, the integration of artificial intelligence, hardware security features, and cloud-native technologies will likely define the next phase of this ongoing arms race. Organisations must stay informed about these developments to maintain effective security postures in an increasingly sophisticated threat landscape.

 

References

  1. Fewer, S. (2014). “Reflective DLL Injection.” Harmony Security. https://github.com/stephenfewer/ReflectiveDLLInjection
  2. Jackson_T. (2019). “SysWhispers: On-disk and in-memory evasion techniques.” https://github.com/jthuraisamy/SysWhispers
  3. Am0nsec & Smelly__vx. (2019). “Hell’s Gate: Dynamically retrieving system call numbers.” https://github.com/am0nsec/HellsGate
  4. Reenz0h. (2020). “Halos Gate: A new technique for dynamically retrieving syscall numbers.” https://blog.sektor7.net/#!res/2021/halosgate.md
  5. Laîné, P. (2021). “Tartarus’ Gate: Bypassing EDRs by abusing hell’s gate.” https://github.com/trickster0/TartarusGate
  6. C5pider. (2021). “Ekko: Sleep Obfuscation.” https://github.com/Cracked5pider/Ekko
  7. Mgeeky. (2021). “ThreadStackSpoofer: PoC for spoofing thread call stack.” https://github.com/mgeeky/ThreadStackSpoofer
  8. ElephantSe4l. (2022). “FreshyCalls: Syscalls with VEH.” https://github.com/crummie5/FreshyCalls
  9. modexp. (2020). “Process Injection Techniques.” Modexp Blog. https://modexp.wordpress.com/
  10. Red Canary. (2021). “EDR Evasion Techniques and Countermeasures.” Red Canary Threat Detection Report.
  11. MITRE ATT&CK Framework. “Defense Evasion Techniques.” https://attack.mitre.org/tactics/TA0005/
  12. Sektor7 Malware Development Course Materials. (2020-2022). https://institute.sektor7.net/
  13. Maldev Academy. (2022-2024). “Malware Development Techniques and EDR Evasion.” https://maldevacademy.com/
  14. SpecterOps. (2021-2023). “Adversary Simulation and Red Team Research.” Various blog posts and research papers.
  15. Elastic Security Labs. (2022-2024). “EDR Evasion Research and Detection Engineering.” Research publications and blog posts.