Modern Red Team — EDR & C2
Educational notice: Material for authorized Red Teams,
Blue/Purple teams and CTFs. All information sourced from
public sources (MITRE ATT&CK, DEFCON/BlackHat 2024-2025
conferences, vendor blogs). Operational payloads omitted —
emphasis is defensive detection.
EDR ecosystem 2026
Common pillars:
- Kernel callbacks (
PsSetCreateProcessNotifyRoutineEx,ObRegisterCallbacks). - ETW Threat-Intelligence (mandatory PPL Anti-Malware).
- AMSI providers + vendor custom DLL.
- Mini-filter for FS.
- Cloud + ML telemetry.
Modern AMSI bypass 2026
Live techniques
Dead / burned techniques
- Classic
0xC3patch onAmsiScanBufferentry → mass signature in Defender. Invoke-Obfuscationtoken obfuscation → public Sigma/AMSI signatures.- AmsiScanBuffer write-raid → patched.
powershell -version 2) still works on
permissive systems but is disabled by default since Windows 10
and most CIS baselines block it.
Detection: Sigma proc_creation_win_powershell_amsi_bypass.yml,
ETW-TI events EtwTiLogReadWriteVm, vendor memory scans on
amsi.dll.
Sources: r-tec — Bypass AMSI 2025,
CrowdStrike — Patchless AMSI.
ETW patching and evasion
Concept:EtwEventWrite and EtwEventWriteFull are proxies
to NtTraceEvent in ntdll.dll. Patching first byte with 0xC3
neutralizes user-mode ETW. MITRE T1562.006.
Critical limitation: the
Microsoft-Windows-Threat-Intelligence (ETW-TI) provider lives
in kernel and cannot be silenced from user-mode. Watches APC
injection, RWX, NtReadVirtualMemory,
NtProtectVirtualMemory. Subscribing requires PPL Anti-Malware —
used by Defender for Endpoint, CrowdStrike, SentinelOne, Cortex
XDR.
Live vector: patch user-mode ETW + use HW breakpoints to
evade local telemetry; what reaches kernel ETW-TI cannot be
covered without BYOVD.
Sources: Binarly — bypassing ETW EDR,
0xflux ETW patching Rust.
Professional C2 frameworks 2026
2024-2025 observation (Red Canary + Alphahunt): Sliver,
Havoc and Mythic outperform Cobalt Strike at evasion against
Defender for Endpoint, CrowdStrike and SentinelOne in recent
tests.
Sources: Alphahunt — Modular C2 2025-2026,
Red Canary Threat Detection Report,
Hunt.io watermarks.
Evasive lateral movement 2026
LOLBAS top 10 (2025-2026)
Q3-2025: LOLBins in 17% of incidents (Red Canary). Flax Typhoon and Remcos/NetSupport campaigns (Jan-2026) without custom malware, only signed binaries.
Sources: LOLBAS project,
CrowdStrike — 8 LOLBins every threat hunter should know.
Modern Initial Access 2026
Defensive resources:
- LOLDrivers.io — ~917 drivers cataloged.
- Microsoft Vulnerable Driver Blocklist (HVCI / Memory Integrity) with quarterly updates.
Defense — detection mapping
Pedagogical conclusion
For defense: prioritize ETW-TI, HVCI with up-to-date vulnerable driver blocklist, AMSI provider integrity, and keep Sigma + YARA updated via SigmaHQ. Active hunting on EID 4104 (PowerShell ScriptBlock) and Sysmon EID 1/3/7/10/11 with correlated baseline. For legitimate offense (authorized Red Team): assume user-mode evasion is the entry point, not the endgame. Design your kill-chain thinking about kernel ETW-TI from minute 1 — or accept detection in stage 2.Consolidated resources
- SigmaHQ repo
- LOLDrivers.io
- LOLBAS project
- MITRE ATT&CK Enterprise
- Microsoft Recommended Driver Block Rules
- Praetorian — ETW-TI & HW breakpoints
- InfoGuard Labs — EDR driver analysis
- BC Security — Empire 5.0
- Cybereason — WMI lateral movement
- enigma0x3 — DCOM MMC20
Related resources
- Tactical glossary — Mimikatz, Pass-the-Hash, BloodHound.
- Professional methodology — MITRE ATT&CK mapping.
- AD CS — Red Team privesc vector against AD.