Here are a few tricks that I have discovered over my malware development journey:
- Encrypt and change permissions of your payload and modules if there are not in use.
- EDRs scans RWX memory pages, try to RW
PAGE_READWRITE-> RXPAGE_EXECUTE_READ. - Use the APIs closest to kernel, produce less telemetry.
- Obfuscate all the calls.
- Duplicate handles instead of create new ones.
- Inject from noisy contexts like SYSTEM or csrss.exe.
- The idea of evasion consists of being invisible by being common.