I'm a junior pentester and I'm struggling because every time I try to run a standard Metasploit payload or a basic PowerShell script, the client's Endpoint Detection and Response (EDR) kills my session immediately. What are the trending "living off the land" (LotL) techniques or obfuscation methods that ethical hackers are using in 2026 to stay undetected?
3 answers
To evade modern EDRs, you have to stop relying on "noisy" public tools. Instead of Metasploit, look into custom "Command and Control" (C2) frameworks or writing your own stagers in Nim or Golang, which are harder for EDRs to signature. "Living off the Land" is your best friend—use signed, legitimate binaries like certutil.exe or mshta.exe to execute your code. Also, look into "API Unhooking" techniques. Modern EDRs hook into Windows APIs to monitor for suspicious calls; if you can refresh the NTDLL in memory to its original state, you effectively blind the EDR to what your process is doing.
Have you tried using "Process Ghosting" or "Process Herpaderping"? These techniques manipulate how the OS handles file writes and process creation to hide the malicious intent from the EDR’s scanner. Do you have a lab set up to test these without alerting a real SOC?
Obfuscation is a cat-and-mouse game. The best way to bypass EDR is to not use scripts at all—try to achieve your goals through native GUI tools if possible.
Good point, Susan. I’ve found that simply using the "Task Scheduler" to run a task as SYSTEM can sometimes bypass a lot of the behavioral monitoring that triggers on active terminal sessions.
Thomas, I've read about Herpaderping but it seems very complex for a junior. If I stick to more "basic" obfuscation like using Invoke-Obfuscation for my PowerShell scripts, will that still work against a modern EDR, or have they evolved to recognize those patterns too?