windows-av-evasion

What problem does it solve?

This Skill provides an operational playbook for evading Windows AV/EDR detections during security testing by covering common telemetry, runtime scanning, and hooking patterns.

Core Features & Use Cases

• AMSI bypass: Memory patching, reflection-based flags, string/trigger obfuscation, and PowerShell-specific bypass approaches to reduce AMSI-driven scanning impact.
• ETW and telemetry reduction: Techniques to limit Event Tracing for Windows signals that security tools consume for detection.
• Execution and stealth workflows: Guidance for in-memory .NET loading, shellcode execution methods, process injection options, unhooking/hardening against API hooks, and payload encryption/obfuscation.
• Signature-focused evasion: String encryption, API hashing, and metadata reduction to reduce static signature matches across tool execution paths.
• Use Case: When a protected endpoint blocks a planned red-team payload, you can select a bypass and execution chain that targets the specific detection layer (AMSI, ETW, ntdll hooks, or signature-based matches) while keeping the operational flow coherent.

Quick Start

Load this Skill and ask an AI to propose a Windows AV/EDR evasion plan for your specific scenario, including the bypass sequence and an execution technique matched to AMSI/ETW/hooking constraints.