MostShittyEDR
The World's Most Intentionally Terrible EDR — an educational platform for understanding EDR detection and evasion techniques.
36
Challenges
9
Categories
36
Solutions
Challenge Categories
Process Name Evasion
Bypass the static process name blacklist through renaming, case tricks, and using unlisted tools.
Command Line Obfuscation
Evade keyword detection using carets, environment variables, encoding, and discovering dead rules.
Process Monitoring Bypass
Exploit polling intervals, pre-existing processes, living-off-the-land, and LSASS dump evasion.
Execution Evasion
Alternative PowerShell hosts, privilege escalation, WoW64 tricks, and Unicode abuse.
Advanced Bypass
Parent PID spoofing and discovering that hash-based detection is pure security theater.
API Hook Evasion
Bypass static import analysis using dynamic resolution, DLL proxying, direct syscalls, and ntdll unhooking. Uses real EDR hook profiles.
ETW Bypass
Blind the EDR's ETW telemetry via session killing, EtwEventWrite patching, provider manipulation, and patchless hardware breakpoint hooks.
Signature Bypass
Evade SHA256 hash-based detection via byte patching, signature file enumeration, process hollowing, and recompilation.
Packer & PE Evasion
Evade PE structure analysis via UPX section renaming, custom packers, Astral-PE header obfuscation, and runtime unpacking.
Getting Started
New here? Browse all 36 challenges, pick your difficulty, and start bypassing.
How It Works
The MostShittyEDR agent implements 9 detection rules with intentional weaknesses:
| Rule | Method | Action | Exploitable? |
|---|---|---|---|
| 1 | Process Name Blacklist (12 names) | BLOCKS | Yes |
| 2 | Command Line Keywords (substring) | BLOCKS | Yes |
| 3 | Reconnaissance Detection | discard |
Yes |
| 4 | LSASS Dump Detection (dual condition) | BLOCKS | Yes |
| 5 | PowerShell Analysis (flags) | BLOCKS | Yes |
| 6 | Hash-Based Detection (SHA256, --signatures) |
BLOCKS | Yes |
| 7 | Hooked API Import Detection | ALERTS | Yes |
| 8 | ETW Integrity Check | BLOCKS | Yes |
| 9 | PE Structure Analysis (packer/header) | ALERTS | Yes |
Note: This is NOT production security software. It is an educational tool designed for understanding EDR evasion techniques in a safe, controlled environment.
Quick Start
# Clone the repository
git clone https://github.com/BenjiTrapp/MostShittyEDR.git
# Build the EDR agent
make build
# Run in safe mode (detect only, no kills)
.\edr_agent.exe --verbose --no-kill
Browse the Challenges to begin, or check the MostShittyAV companion lab for AMSI bypass challenges.
Further Reading
Deep-dive blog posts on EDR internals, bypass techniques, and defensive telemetry:
EDR Deep Dive
Understanding and Attacking EDRs
How malware detection works, EDR internals, API/kernel hooking, and attack strategies against EDR solutions.
Detection
Hunting the Watchers: Detecting EDR Hooks
Techniques to detect and identify EDR hooks in user-mode DLLs, including syscall stub analysis.
Roadmap
EDR Bypass Roadmap
A structured path through EDR bypass techniques, from basic evasion to advanced kernel-level attacks.
Syscalls
Hell's Gate, Heaven's Gate & Tartarus Gate
Direct and indirect syscall techniques to bypass user-mode EDR hooks entirely.
Telemetry
ETW-TI Deep Dive
Understanding Event Tracing for Windows Threat Intelligence — the kernel-level telemetry that feeds modern EDRs.
Offense
Breaking ETW and EDR
Offensive techniques to blind EDR telemetry by tampering with ETW providers and consumers.
Related Projects
- MostShittyAV — The companion AMSI bypass lab (43 challenges)