thank you for joining us!

EDR Evasion Primer for Red Teamers


August 25, 2022




Main Track

EDRs are everywhere, but relatively little is known about how the tools work and how to effectively circumvent them. We are effectively trusting black boxes to protect our endpoints. This presentation discusses insights on EDR inner workings and evasion options gathered over several years of intense red teaming.

We will cover:

Test lab results: The wide range of EDR choices from terrible to effective; bonus: ZERO DAYS!

Reverse engineering results: How EDRs work internally

Successful attack techniques: EDR evasion methodologies; including:

  • Leverage Windows APIs for injection attacks
  • Unhook functions
  • Implement and masquerade your own syscalls


These insights help defenders and testers: Blue teamers will better understand how much to rely on EDR; and red teamers will find an organization’s weakest link more quickly.



Security Consultant


Jorge is a Security Consultant at SRLabs focused on infrastructure pentesting and Red Teaming. He has deep expertise in Endpoint protection, Malware Development, and Active Directory hacking.

Chief Scientist


Karsten is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them. Karsten is the Chief Scientist at SRLabs in Berlin where his professional work includes testing telcos for hacking issues.

Other Talks in This Track