MostShittyEDR

The World's Most Intentionally Terrible EDR — an educational platform for understanding EDR detection and evasion techniques.

36
Challenges
9
Categories
36
Solutions

Challenge Categories


How It Works

The MostShittyEDR agent implements 9 detection rules with intentional weaknesses:

Rule Method Action Exploitable?
1 Process Name Blacklist (12 names) BLOCKS Yes
2 Command Line Keywords (substring) BLOCKS Yes
3 Reconnaissance Detection discard Yes
4 LSASS Dump Detection (dual condition) BLOCKS Yes
5 PowerShell Analysis (flags) BLOCKS Yes
6 Hash-Based Detection (SHA256, --signatures) BLOCKS Yes
7 Hooked API Import Detection ALERTS Yes
8 ETW Integrity Check BLOCKS Yes
9 PE Structure Analysis (packer/header) ALERTS Yes

Note: This is NOT production security software. It is an educational tool designed for understanding EDR evasion techniques in a safe, controlled environment.


Quick Start

# Clone the repository
git clone https://github.com/BenjiTrapp/MostShittyEDR.git

# Build the EDR agent
make build

# Run in safe mode (detect only, no kills)
.\edr_agent.exe --verbose --no-kill

Browse the Challenges to begin, or check the MostShittyAV companion lab for AMSI bypass challenges.


Further Reading

Deep-dive blog posts on EDR internals, bypass techniques, and defensive telemetry: