BIPI
BIPI

EDR Evasion in 2025: Techniques Red Teams Are Using and How to Detect Them

Cybersecurity

Modern EDRs use kernel callbacks, ETW telemetry, and ML models. Modern red teams route around all three. A breakdown of current evasion techniques with paired detection logic for each.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 12, 2025 · 13 min read

#edr-evasion#red-team#endpoint-security#detection-engineering#amsi

EDR vendors market detection rates in controlled lab environments. Red teams operate in real environments where the EDR has been running for 18 months, has an allowlist for 200 internal tools, and where the SOC triage queue is three days deep. The gap between lab detection rates and real-world detection rates is where red teams live.

Understanding EDR Telemetry Sources

Most EDRs collect from three layers: kernel callbacks (process create, image load, registry operations, file operations), ETW (Event Tracing for Windows) providers including the Microsoft-Windows-Threat-Intelligence provider, and userland hooks in ntdll.dll for API monitoring. Each layer has different evasion properties. Kernel callbacks require a signed driver to bypass. ETW can be patched in userland. Userland hooks can be bypassed by syscalling directly.

Direct System Calls

Userland EDR hooks sit in ntdll.dll and intercept calls to NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtCreateThreadEx. Direct syscalls bypass the hook by calling the kernel transition instruction (syscall on x64) directly with the correct syscall number. SysWhispers3 generates the assembly stubs. The detection: these stubs have a distinctive pattern — a syscall instruction in executable memory that is not inside ntdll.dll. Kernel callbacks still fire.

ETW Patching

ETW telemetry is generated by the EtwEventWrite function in ntdll.dll. Patching the first byte with 0xC3 (ret) silences all ETW output from that process. This disables the Microsoft-Windows-Threat-Intelligence provider which feeds many EDRs with API-level telemetry. Detection: monitor for writes to the EtwEventWrite function address from any process that is not a known updater. Sysmon EventID 25 (process tampering) covers this.

AMSI Bypass

AMSI (Antimalware Scan Interface) is invoked by PowerShell, WScript, and .NET before executing scripts. The classic bypass patches amsi.dll's AmsiScanBuffer function to always return AMSI_RESULT_CLEAN. Current EDRs watch for this patch. Newer bypasses use COM hijacking to replace the AMSI provider registration, or use hardware breakpoints to intercept the scan call without writing to the function body.

Process Injection Without CreateRemoteThread

  • NtQueueApcThread: queue an APC to a thread in an alertable state. No CreateRemoteThread call.
  • Thread Hijacking: suspend a thread, overwrite RIP register, resume. One process access event.
  • Module Stomping: overwrite the .text section of a loaded DLL rather than allocating new memory.
  • Phantom DLL Hollowing: map a deleted file into memory and execute from it — no file on disk.
34%
of red team engagements in 2024 achieved full EDR bypass using BYOVD
91%
of AMSI bypasses in the wild use the AmsiScanBuffer patch vector
4x
detection improvement when kernel callbacks are supplemented with ETW-TI telemetry

Detection Engineering Response

Stack-based detection is the highest-signal approach: capture the call stack at the point of each suspicious API call. Legitimate code has a call stack that traces through known modules. Shellcode executing from unbacked memory will show frames pointing to addresses with no associated module. This technique catches direct syscalls, injection, and module stomping simultaneously.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.