Endpoint detection and response tools sit at the center of most enterprise security strategies — yet attackers increasingly treat them as obstacles to route around, not walls to break through. In a 2024 red team assessment of a U.S. critical infrastructure organization, CISA found that EDR solutions "detected only a few" of the deployed payloads, validating what adversaries already know. The CrowdStrike 2026 Global Threat Report reinforces the problem: 82% of detections were malware-free, driven by credential-based and living off the land techniques that bypass traditional endpoint detection and response controls entirely. EDR evasion is no longer an advanced capability reserved for nation-state actors. It is a commoditized service available on underground markets for as little as $300.
EDR evasion is the set of techniques attackers use to avoid, disable, or circumvent endpoint detection and response tools — preventing these agents from detecting malicious activity, reporting telemetry to a central console, or triggering automated response actions on compromised endpoints.
The terms "EDR evasion" and "EDR bypass" are often used interchangeably, but a useful distinction exists. EDR evasion broadly describes any method of avoiding endpoint detection, while EDR bypass specifically implies that an attacker defeated both prevention and detection mechanisms. In practice, DFIR experts increasingly categorize these techniques into three families — blinding, blocking, and hiding — based on how they interact with the EDR agent architecture.
EDR agents operate from a fundamentally constrained position. They rely on software hooks, kernel callbacks, and telemetry pipelines that attackers can identify, manipulate, or disable. Research presented at DEF CON 32 found that 94% of analyzed EDR solutions lack hooks in the subsystem layer above NTDLL, creating a systemic architectural gap. When the CrowdStrike 2026 Global Threat Report reports that 82% of detections are malware-free, it signals that attackers have shifted to techniques that EDR was never designed to catch — credential theft, legitimate tool abuse, and identity-based attacks that blend into normal operations.
The problem compounds across the cyber kill chain. If an attacker disables or blinds the EDR agent early in the intrusion, every subsequent stage — lateral movement, privilege escalation, data exfiltration — proceeds without endpoint-level visibility.
Attackers target three fundamental attack surfaces in EDR architecture: the telemetry pipeline, the agent process itself, and the execution context that determines what the agent monitors.
Blinding techniques prevent EDR agents from collecting or transmitting telemetry without actually terminating the agent process. The EDR appears operational but sends incomplete or no data to the central console.
T1562.006 (Indicator Blocking)Blocking techniques directly terminate EDR processes or prevent them from loading. These are the most aggressive evasion methods and often require privilege escalation to kernel level.
T1562.009)Hiding techniques execute malicious actions using methods that EDR agents are designed to trust or cannot monitor.
EDR evasion has become a commercial underground service. Research by ExtraHop's threat team found that dark web forums (XSS, Exploit.In, RAMP) sell single EDR bypass tools starting at $300, with bundled encryption lockers reaching $10,000. This commoditization means organizations face evasion attempts from the full spectrum of threat actors — not just sophisticated APT groups.
Figure: EDR agent architecture with three evasion attack surfaces. The diagram shows user-mode hooks, kernel callbacks, and the ETW pipeline feeding an EDR console, with labeled attack vectors for blinding (telemetry suppression), blocking (agent termination), and hiding (trusted-context execution).
EDR evasion techniques span kernel-level driver abuse, user-mode hook manipulation, trusted-binary exploitation, and emerging Linux-specific attack surfaces.
BYOVD loads a signed but vulnerable kernel driver to gain kernel-level access and terminate EDR processes or unregister kernel callbacks. The technique maps to T1068 (Exploitation for Privilege Escalation) and T1014 (Rootkit). A single BYOVD campaign using the TrueSight driver deployed over 2,500 driver variants between mid-2024 and early 2025. In February 2026, Reynolds ransomware embedded a vulnerable NsecSoft driver (CVE-2025-68947) directly within the ransomware payload, eliminating the need for a separate EDR-killing deployment step. Forensics firm Huntress documented similar weaponization of the EnCase driver for EDR termination.
EDR agents place hooks in user-mode DLLs (primarily ntdll.dll) to intercept API calls and monitor process behavior. Unhooking techniques remove or bypass these hooks, while direct and indirect syscalls skip the monitored API layer entirely. The HookChain technique, presented at DEF CON 32, exploits the subsystem layer above NTDLL and achieved an 88% bypass success rate across 26 tested EDR solutions. Direct syscalls invoke kernel functions by number, bypassing user-mode hooks entirely. Indirect syscalls call through legitimate NTDLL code to appear normal while still evading hook-based detection. Both map to T1562.001 (Disable or Modify Tools).
Living off the land attacks abuse legitimate system binaries — PowerShell, WMI, certutil, mshta, regsvr32 — that EDR solutions must allow to function. These techniques map to T1218 (System Binary Proxy Execution). Because the binaries are digitally signed and essential to system operations, EDR faces a fundamental tension between blocking potential abuse and permitting legitimate administrative activity. Tools like Cobalt Strike leverage LOLBin execution chains to blend post-exploitation activity into normal system behavior.
ファイルレス マルウェア loads malicious DLLs directly into process memory without writing to disk, bypassing file-based scanning. This maps to T1055 (Process Injection) and T1574.002 (DLL Side-Loading). The PDFSIDER malware campaign demonstrated sophisticated DLL side-loading through trusted PDF reader processes, evading both static and behavioral detection.
Purpose-built EDR killer tools terminate or blind EDR processes using a combination of techniques. EDRKillShifter uses BYOVD to terminate endpoint security processes and has proliferated across competing ransomware operations. EDR Silencer blocks EDR network traffic via the Windows Filtering Platform (T1562.006). EDR-Redir represents a newer approach — a user-mode bypass exploiting the Windows 11 bind filter driver that requires no kernel access at all.
Linux EDR evasion is an emerging front that most competitors miss entirely. The RingReaper agent exploits the Linux io_uring kernel interface (introduced in kernel 5.1) to perform process discovery, network enumeration, and privilege escalation through asynchronous I/O operations invisible to traditional Linux EDR syscall hooks. Most Linux EDR solutions do not monitor io_uring, creating a significant detection gap for server environments.
Summary of major EDR evasion technique families, mapped to MITRE ATT&CK IDs and primary detection challenges.
Real-world incidents confirm that EDR evasion enables catastrophic breaches when organizations lack network-layer monitoring and proper endpoint configuration.
The ALPHV/BlackCat ransomware group used stolen credentials to access Change Healthcare's systems through a remote access portal lacking multi-factor authentication. Attackers disabled endpoint defenses and moved laterally for nine days, exfiltrating 6TB of data before deploying ransomware. The organization paid a $22 million ransom, and over 100 million individuals' personal health information was compromised. The lesson: EDR without MFA and network-layer monitoring creates catastrophic single points of failure.
In February 2026, Reynolds ransomware bundled a vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly within the ransomware payload. The embedded driver terminates processes for Avast, CrowdStrike Falcon, Cortex XDR, Sophos, and Symantec. This evolution — from BYOVD as a separate pre-attack step to an embedded payload component — shrinks the detection window dramatically.
When EDR quarantined Akira's initial payload on a Windows endpoint, the attackers pivoted to an unmonitored Linux-based webcam on the same network. From the webcam, they mounted SMB shares and encrypted the network from a device that no EDR agent could protect. This case demonstrates why IoT security and agentless device monitoring are essential components of any endpoint strategy.
A CISA red team assessed a critical infrastructure organization and evaded EDR by avoiding known-bad signatures and inflating file sizes above EDR upload thresholds. A legacy environment within the organization had zero EDR coverage. The assessment concluded that overreliance on host-based EDR without network-layer protections leaves organizations blind to determined adversaries.
With average eCrime breakout time now at 29 minutes according to CrowdStrike's 2026 data, the window between initial access and lateral movement is shrinking faster than most SOCs can respond.
Defending against EDR evasion requires layering network detection, absence monitoring, and endpoint hardening into an integrated defense-in-depth strategy.
Network-level detection (NDR). Network detection and response provides independent telemetry that persists when EDR agents are compromised. Network traffic cannot be "unhooked" — an attacker who blinds or terminates the endpoint agent still generates observable network behavior during lateral movement, command-and-control communication, and data exfiltration. CISA's advisory specifically recommends network-layer monitoring as a complement to endpoint detection.
Absence-based monitoring. Rather than detecting malicious activity, absence monitoring detects when endpoints stop reporting to the EDR console — a strong indicator that EDR-killing tools have been deployed. Threat intelligence reporting identifies this as one of the most reliable detection methods for EDR tampering.
Behavioral analytics and threat hunting. Proactive threat detection focuses on identifying evasion indicators: unexpected driver load events, ETW telemetry gaps, anomalous process tree structures, and suspicious use of legitimate system binaries. These behavioral signals persist even when signature-based detection fails.
The Akira webcam case demonstrates a critical blind spot: devices that cannot run EDR agents — IoT devices, IP cameras, OT equipment, network appliances — create entry points that bypass endpoint security entirely. Edge devices and VPNs jumped from 3% to 22% year-over-year as breach entry points according to the Verizon DBIR 2025, cited via Corelight. Organizations must audit all network-connected devices and ensure agentless devices cannot access sensitive resources without network-level monitoring. IoT security solutions and NDR provide visibility where endpoint agents cannot operate.
An effective incident response plan accounts for scenarios where EDR telemetry is unavailable, with playbooks that leverage network and identity data sources as fallbacks.
EDR evasion detection maps directly to MITRE ATT&CK T1562 (Impair Defenses) — the most prevalent technique in malware campaigns in 2025 according to Picus Security's annual analysis. Multiple security frameworks mandate controls that address EDR evasion risks.
MITRE ATT&CK techniques relevant to EDR evasion, with detection data sources and defensive controls.
Framework mapping. NIST CSF controls DE.CM-1 (network monitoring), DE.CM-4 (malicious code detection), and PR.PT-1 (audit/log records) directly address EDR evasion detection requirements. CIS Controls v8 maps through Control 10 (Malware Defenses), Control 8 (Audit Log Management), and Control 13 (Network Monitoring and Defense). ISO 27001:2022 addresses this through Annex A 8.7 (Protection Against Malware) and Annex A 8.16 (Monitoring Activities).
The industry consensus is clear: effective defense against EDR evasion requires independent detection layers that persist when endpoint agents are compromised. This means combining EDR with network detection and response, identity threat detection and response (ITDR), and agentless monitoring into a unified defense-in-depth architecture.
NDR provides network-layer visibility that cannot be disabled by endpoint-level attacks. ITDR detects credential abuse and identity-based attacks that represent the 82% of malware-free intrusions. Automated response capabilities contain threats before lateral movement completes — critical when eCrime breakout time averages 29 minutes. Improving SOC operations through signal consolidation reduces the alert fatigue that delays response to genuine evasion indicators.
Vectra AI operates on the assumption that smart attackers will get past endpoint controls — the "assume compromise" philosophy. Attack Signal Intelligence analyzes network, identity, and cloud telemetry to find attacker behavior that EDR cannot see — lateral movement, privilege escalation, and command-and-control activity that persists regardless of whether the endpoint agent is compromised, blinded, or absent. The focus is on signal clarity over alert volume, ensuring SOC teams investigate real threats rather than chasing noise from the 82% of activity that never touches malware.
The EDR evasion landscape is evolving rapidly, with several developments likely to reshape both attack techniques and defensive strategies over the next 12 to 24 months.
AI-assisted evasion will accelerate. Threat actors are already using AI to automate payload generation, polymorphic code creation, and behavioral mimicry. While specific effectiveness claims vary in reliability, the general trend is well-documented: AI reduces the skill barrier for creating custom evasion techniques, putting pressure on defenders to adopt AI-driven detection that adapts at the same speed.
Linux and cloud-native evasion will expand. RingReaper's exploitation of io_uring signals a broader shift toward targeting Linux server environments and cloud infrastructure. As organizations migrate more workloads to containers and Kubernetes, attackers will adapt evasion techniques for these environments where traditional EDR deployment models may not apply.
Regulatory pressure will increase. NIS2 enforcement in Europe and potential SEC cyber disclosure rule updates may mandate specific endpoint protection standards and defense-in-depth requirements. Organizations that rely solely on EDR will face compliance gaps as frameworks increasingly require network-layer monitoring and absence-based detection capabilities.
Evasion-as-a-service will mature. The underground market for EDR evasion tools will continue to professionalize, with subscription models, guaranteed bypass windows, and money-back guarantees becoming standard. Security leaders should factor this market maturity into threat models and budget accordingly for layered detection investments.
Organizations should prioritize deploying NDR alongside existing EDR investments, establishing absence-based monitoring for endpoint telemetry gaps, and conducting regular adversary simulation exercises that specifically test EDR evasion scenarios.
EDR evasion has evolved from an advanced nation-state capability to a commoditized service available to any threat actor with a few hundred dollars. The techniques are well-documented, the tools are widely shared across criminal ecosystems, and the architectural limitations of endpoint-only detection are publicly validated by CISA red team assessments and academic research.
The path forward is not abandoning EDR — it is recognizing that EDR operates best as one layer within a defense-in-depth architecture. Network detection provides independent visibility that persists when endpoints are compromised. Identity monitoring catches the 82% of intrusions that never use malware. Absence-based telemetry detects when EDR itself becomes the target. Organizations that implement the eight-step hardening checklist, layer NDR alongside endpoint detection, and validate their defenses through regular adversary simulation will close the gaps that EDR evasion exploits.
Explore how Vectra AI extends EDR coverage with network and identity detection.
EDR evasion refers to the techniques attackers use to avoid, disable, or circumvent endpoint detection and response tools. These techniques prevent EDR agents from detecting malicious activity, reporting telemetry, or triggering automated response. Modern EDR evasion falls into three categories: blinding (suppressing telemetry without terminating the agent), blocking (directly disabling or terminating EDR processes), and hiding (executing within trusted contexts that EDR monitors but must allow). EDR evasion has become increasingly commoditized, with tools available on underground markets for as little as $300, making it accessible to a wide range of threat actors beyond nation-state groups. According to CISA red team findings, EDR solutions detected "only a few" deployed payloads when tested against a skilled adversary, confirming that endpoint detection alone does not provide sufficient coverage.
Attackers evade EDR through multiple technique families targeting different architectural layers. At the kernel level, BYOVD loads signed vulnerable drivers to terminate EDR processes or unregister kernel callbacks. At the user-mode level, unhooking and syscall techniques bypass the API monitoring hooks that EDR agents rely on. Living-off-the-land techniques abuse legitimate system binaries that EDR cannot block. EDR killer tools like EDRKillShifter combine multiple approaches — using BYOVD for kernel access and then systematically terminating endpoint security processes. More recently, attackers have pivoted to unmonitored devices (as in the Akira webcam case) or exploited Linux-specific interfaces like io_uring that most EDR solutions do not monitor. The key insight is that attackers rarely use a single technique. They chain multiple evasion methods to maximize their chances of operating undetected.
BYOVD — bring your own vulnerable driver — is an attack technique where adversaries load a legitimately signed but vulnerable kernel driver onto a target system. Because the driver carries a valid digital signature, Windows allows it to execute with kernel-level privileges. The attacker then exploits the vulnerability in the loaded driver to gain kernel access, which allows them to terminate EDR processes, unregister kernel callbacks, and manipulate security controls. Over 2,500 driver variants were used in a single BYOVD campaign targeting the TrueSight driver between mid-2024 and early 2025. The February 2026 Reynolds ransomware took this technique further by embedding the vulnerable driver directly within the ransomware payload, eliminating the need for a separate deployment step and significantly shortening the detection window.
Ransomware groups bypass EDR using a combination of techniques tailored to their specific targets. ALPHV/BlackCat used stolen credentials to disable endpoint defenses at Change Healthcare, enabling nine days of lateral movement that resulted in a $22 million ransom and 100 million compromised records. Reynolds ransomware embeds a BYOVD driver directly in its payload, automatically terminating Avast, CrowdStrike Falcon, Cortex XDR, Sophos, and Symantec on execution. RansomHub's EDRKillShifter tool uses BYOVD to terminate EDR and has been shared with at least three rival gangs — Play, Medusa, and BianLian. Akira demonstrated creative thinking by pivoting to an unmonitored Linux webcam to encrypt the network when EDR blocked the initial payload on Windows endpoints. These examples show that ransomware operators invest significant resources in EDR evasion because endpoint detection is the primary barrier to ransomware deployment.
Detecting EDR evasion requires looking beyond the endpoint. Network detection and response (NDR) provides independent telemetry that persists when EDR agents are compromised — attackers who blind or terminate the endpoint agent still generate observable network traffic during lateral movement and data exfiltration. Absence-based monitoring detects when endpoints stop reporting to the EDR console, which is a strong indicator of EDR-killing activity. Behavioral analytics and threat hunting focus on anomalous driver load events, ETW telemetry gaps, unusual process trees, and suspicious system binary usage. Organizations should monitor for driver loading events that match known vulnerable drivers, sudden gaps in EDR telemetry from specific endpoints, unexpected network connections from endpoints that recently went silent, and process behavior patterns consistent with unhooking or syscall abuse. Combining these detection methods creates overlapping visibility that no single evasion technique can defeat.
Defense evasion is tactic TA0005 in the MITRE ATT&CK framework, encompassing techniques that adversaries use to avoid detection throughout their intrusion. Within this tactic, T1562 (Impair Defenses) is the most directly relevant technique family for EDR evasion. The sub-techniques include T1562.001 (Disable or Modify Tools), T1562.002 (Disable Windows Event Logging), T1562.006 (Indicator Blocking), and T1562.009 (Safe Mode Boot). According to Picus Security's annual analysis, T1562 was the most prevalent technique employed in malware campaigns in 2025. Security teams use these ATT&CK mappings for detection engineering — building detection rules that target specific technique behaviors rather than individual malware signatures, which provides more durable coverage against evolving evasion tools.
Network detection and response plays a critical role in detecting EDR evasion because it operates independently of endpoint agents. When an attacker blinds, terminates, or circumvents an EDR agent, network traffic continues to flow. NDR monitors this traffic for indicators of compromise that EDR can no longer report — lateral movement between hosts, command-and-control communication, credential abuse patterns, and data exfiltration. CISA specifically recommends network-layer monitoring as a complement to endpoint detection in their critical infrastructure advisory. The combination of EDR and NDR creates a detection architecture where compromising one layer does not eliminate visibility. Even if an attacker successfully evades every EDR agent in the environment, their network behavior remains observable. This is particularly important for agentless devices — IoT, OT equipment, network appliances — that cannot run endpoint agents at all.
HookChain is an advanced EDR bypass technique documented in academic research and presented at DEF CON 32. It exploits the subsystem layer above NTDLL — a layer where 94% of analyzed EDR solutions lack monitoring hooks. By operating in this architectural blind spot, HookChain achieved an 88% bypass success rate across 26 tested EDR products and five endpoint protection platforms. The technique highlights a fundamental design limitation in current EDR architecture: vendors focus their monitoring hooks at the NTDLL and kernel levels but leave the higher subsystem layer unprotected. HookChain does not require kernel access or administrator privileges, making it accessible to a broader range of attackers. The research underscores why relying solely on user-mode hook-based detection is insufficient and why complementary detection layers (network, identity, behavioral) are essential.
Safe mode reboot bypasses EDR by restarting the target system into Windows Safe Mode, where only essential drivers and services load. Most EDR agents are not configured to start in Safe Mode, which means the system boots without endpoint protection active. Ransomware families including Snatch and AvosLocker have exploited this technique to encrypt files without EDR interference. The attacker typically gains initial access, configures the system to boot into Safe Mode, restarts the machine, and then executes the ransomware payload in the unprotected environment. This technique maps to MITRE ATT&CK T1562.009. Defending against it requires configuring EDR agents to persist in Safe Mode, monitoring for unexpected boot configuration changes, and ensuring network-level detection covers endpoints regardless of their boot state.
EDR tampering is a broad term covering any technique that modifies, degrades, or disables the functionality of an endpoint detection and response agent. This includes terminating EDR processes, patching monitoring hooks in memory, blocking telemetry transmission, modifying configuration files, unregistering kernel callbacks, and exploiting vulnerable drivers for kernel access. EDR tampering is the practical implementation of MITRE ATT&CK T1562.001 (Disable or Modify Tools). Most modern EDR solutions include tamper protection features that prevent unauthorized modification of the agent, but these protections must be properly configured and verified — tamper protection that can be overridden by a local administrator provides limited value against an attacker who has already achieved privilege escalation. Regular validation through adversary simulation ensures tamper protection functions as intended.