# Defense Evasion

- [AV Bypass with Metasploit Templates and Custom Binaries](/offensive-security/defense-evasion/av-bypass-with-metasploit-templates.md)
- [Evading Windows Defender with 1 Byte Change](/offensive-security/defense-evasion/evading-windows-defender-using-classic-c-shellcode-launcher-with-1-byte-change.md)
- [Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions](/offensive-security/defense-evasion/bypassing-windows-defender-one-tcp-socket-away-from-meterpreter-and-cobalt-strike-beacon.md)
- [Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs](/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis.md): EDR / AV Evasion
- [Windows API Hashing in Malware](/offensive-security/defense-evasion/windows-api-hashing-in-malware.md): Evasion
- [Detecting Hooked Syscalls](/offensive-security/defense-evasion/detecting-hooked-syscall-functions.md)
- [Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs](/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs.md)
- [Retrieving ntdll Syscall Stubs from Disk at Run-time](/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time.md)
- [Full DLL Unhooking with C++](/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++.md): EDR evasion
- [Enumerating RWX Protected Memory Regions for Code Injection](/offensive-security/defense-evasion/finding-all-rwx-protected-memory-regions.md): Code Injection, Defense Evasion
- [Disabling Windows Event Logs by Suspending EventLog Service Threads](/offensive-security/defense-evasion/disabling-windows-event-logs-by-suspending-eventlog-service-threads.md)
- [Obfuscated Powershell Invocations](/offensive-security/defense-evasion/t1027-obfuscated-powershell-invocations.md): Defense Evasion
- [Masquerading Processes in Userland via \_PEB](/offensive-security/defense-evasion/masquerading-processes-in-userland-through-_peb.md): Understanding how malicious binaries can maquerade as any other legitimate Windows binary from the userland.
- [Commandline Obfusaction](/offensive-security/defense-evasion/commandline-obfusaction.md): Commandline obfuscation
- [File Smuggling with HTML and JavaScript](/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript.md)
- [Timestomping](/offensive-security/defense-evasion/t1099-timestomping.md): Defense Evasion
- [Alternate Data Streams](/offensive-security/defense-evasion/t1096-alternate-data-streams.md)
- [Hidden Files](/offensive-security/defense-evasion/t1158-hidden-files.md): Defense Evasion, Persistence
- [Encode/Decode Data with Certutil](/offensive-security/defense-evasion/t1140-encode-decode-data-with-certutil.md): Defense Evasion
- [Downloading Files with Certutil](/offensive-security/defense-evasion/downloading-file-with-certutil.md): Downloading additional files to the victim system using native OS binary.
- [Packed Binaries](/offensive-security/defense-evasion/t1045-software-packing-upx.md): Defense Evasion, Code Obfuscation
- [Unloading Sysmon Driver](/offensive-security/defense-evasion/unloading-sysmon-driver.md): Unload sysmon driver which causes the system to stop recording sysmon event logs.
- [Bypassing IDS Signatures with Simple Reverse Shells](/offensive-security/defense-evasion/bypassing-ids-signatures-with-simple-reverse-shells.md)
- [Preventing 3rd Party DLLs from Injecting into your Malware](/offensive-security/defense-evasion/preventing-3rd-party-dlls-from-injecting-into-your-processes.md)
- [ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)](/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy.md)
- [Parent Process ID (PPID) Spoofing](/offensive-security/defense-evasion/parent-process-id-ppid-spoofing.md)
- [Executing C# Assemblies from Jscript and wscript with DotNetToJscript](/offensive-security/defense-evasion/executing-csharp-assemblies-from-jscript-and-wscript-with-dotnettojscript.md)