Table of Content :

Cobalt Strike MindMap

Shared by RastaMouse : https://x.com/_RastaMouse/status/1862881768178606155

EDR/AV Evasion Notes & References :

• ‣

Detecting the Hooks

• Blogs

  • https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions

• Tools

  • HookDetector : https://github.com/matterpreter/OffensiveCSharp/tree/master/HookDetector
  • InjDrv (Windows Driver for injecting DLL into user-mode processes using APC ) : https://github.com/wbenny/injdrv

• We can detect hooks by looking at the first 4 bytes of an API instruction.

• Generally they are in sequence of 0x4c, 0x8b, 0xd1, 0xb8