NorthSec 2025

The perpetual race to safeguard and secure our infrastructures have given birth to robust defensive mechanisms, such as antiviruses (AV), Endpoint Detection and Response (EDRs), and Extended detection and response (XDR) just to name a few. Over the years the detection methodologies employed by them have evolved. From the very basic string and hash matching techniques, defensive mechanisms have enhanced their capabilities by employing machine learning, in memory scanning and other sophisticated techniques. From the perspective of a malware developer, developing malware is considerably easier as compared to evading it.
In this talk we will discuss various techniques employed by malware developers to circumvent detection measures implemented by modern day AVs and EDRs. This talk will solely focus on the Windows ecosystem. We will discuss the nitty gritties of the Windows OS, followed by various detection techniques implemented by AVs and EDRs. After understanding the detection methods we will shift our focus on various techniques that can be implemented to bypass aforementioned detection techniques. Some techniques included are Unhooking, BlockDLL, Repatching, API Hashing, ETW and AMSI patching etc.
In order to better understand the concepts discussed, we present real life PoCs. These PoCs will showcase the discussed evasion techniques on a popular red teaming tool (Juicy Potato). The implemented techniques will be tested against ‘Windows Defender’, a popular and widely used inbuilt AV solution by Microsoft. Furthermore these PoCs will showcase the exact detection methods and how we were able to bypass them to gain access.