You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Evading ETW is effective, but you might observe strange behavior during execution. If your process loads the CLR and ETW does not receive telemetry, this is not a normal aspect of assembly execution.
- Consideration 2 :
Loading the CLR from a managed process can appear suspicious. You can inject your assembly into a process where the CLR is already loaded.
Loading the CLR from a unmanaged process can appear suspicious. You can inject your assembly into a process where the CLR is already loaded.
- Consideration 3 :
Patching a function is the most reliable way (100% certain) to ensure it will not be called, but it is also the most dangerous method for evading AMSI/ETW.
