Skip to main content

Modern Red Team — EDR & C2

Educational notice: Material for authorized Red Teams, Blue/Purple teams and CTFs. All information sourced from public sources (MITRE ATT&CK, DEFCON/BlackHat 2024-2025 conferences, vendor blogs). Operational payloads omitted — emphasis is defensive detection.
The 2026 offense/defense balance lives in kernel ETW-TI: any serious evasion that operates only in user-mode (AMSI / classic ETW patches) leaves visible footprints for PPL-aware EDRs. The real frontier is HW breakpoints + BYOVD + modular frameworks (Mythic / Sliver / Havoc) with bespoke OPSEC per engagement.

EDR ecosystem 2026

Common pillars:
  1. Kernel callbacks (PsSetCreateProcessNotifyRoutineEx, ObRegisterCallbacks).
  2. ETW Threat-Intelligence (mandatory PPL Anti-Malware).
  3. AMSI providers + vendor custom DLL.
  4. Mini-filter for FS.
  5. Cloud + ML telemetry.

Modern AMSI bypass 2026

Live techniques

Dead / burned techniques

  • Classic 0xC3 patch on AmsiScanBuffer entry → mass signature in Defender.
  • Invoke-Obfuscation token obfuscation → public Sigma/AMSI signatures.
  • AmsiScanBuffer write-raid → patched.
Legacy PowerShell v2 (powershell -version 2) still works on permissive systems but is disabled by default since Windows 10 and most CIS baselines block it. Detection: Sigma proc_creation_win_powershell_amsi_bypass.yml, ETW-TI events EtwTiLogReadWriteVm, vendor memory scans on amsi.dll. Sources: r-tec — Bypass AMSI 2025, CrowdStrike — Patchless AMSI.

ETW patching and evasion

Concept: EtwEventWrite and EtwEventWriteFull are proxies to NtTraceEvent in ntdll.dll. Patching first byte with 0xC3 neutralizes user-mode ETW. MITRE T1562.006. Critical limitation: the Microsoft-Windows-Threat-Intelligence (ETW-TI) provider lives in kernel and cannot be silenced from user-mode. Watches APC injection, RWX, NtReadVirtualMemory, NtProtectVirtualMemory. Subscribing requires PPL Anti-Malware — used by Defender for Endpoint, CrowdStrike, SentinelOne, Cortex XDR. Live vector: patch user-mode ETW + use HW breakpoints to evade local telemetry; what reaches kernel ETW-TI cannot be covered without BYOVD. Sources: Binarly — bypassing ETW EDR, 0xflux ETW patching Rust.

Professional C2 frameworks 2026

2024-2025 observation (Red Canary + Alphahunt): Sliver, Havoc and Mythic outperform Cobalt Strike at evasion against Defender for Endpoint, CrowdStrike and SentinelOne in recent tests. Sources: Alphahunt — Modular C2 2025-2026, Red Canary Threat Detection Report, Hunt.io watermarks.

Evasive lateral movement 2026


LOLBAS top 10 (2025-2026)

Q3-2025: LOLBins in 17% of incidents (Red Canary). Flax Typhoon and Remcos/NetSupport campaigns (Jan-2026) without custom malware, only signed binaries. Sources: LOLBAS project, CrowdStrike — 8 LOLBins every threat hunter should know.

Modern Initial Access 2026

Defensive resources:
  • LOLDrivers.io — ~917 drivers cataloged.
  • Microsoft Vulnerable Driver Blocklist (HVCI / Memory Integrity) with quarterly updates.
Sources: Microsoft — HTML smuggling, Trellix — OneClik, Sophos — BlackByte RTCore64.

Defense — detection mapping


Pedagogical conclusion

For defense: prioritize ETW-TI, HVCI with up-to-date vulnerable driver blocklist, AMSI provider integrity, and keep Sigma + YARA updated via SigmaHQ. Active hunting on EID 4104 (PowerShell ScriptBlock) and Sysmon EID 1/3/7/10/11 with correlated baseline. For legitimate offense (authorized Red Team): assume user-mode evasion is the entry point, not the endgame. Design your kill-chain thinking about kernel ETW-TI from minute 1 — or accept detection in stage 2.

Consolidated resources