The Bypass
Placing a crafted NTUSER.MAN in C:\Users\<target>\ loads persistence keys into HKCU on next logon. The hive is loaded directly from disk without invoking registry APIs.

CmRegisterCallbackEx monitors registry operations. Hive loads are not registry operations. The callbacks are not invoked.

Filesystem events will trigger. Writing the file to the profile directory is visible to any EDR monitoring file operations. Registry-focused detections remain blind.

analyze.py - IDA Pro 9.X Python for automated call chain analysis
runner.ps1 - PowerShell batch runner for mass binary analysis
download-all-versions.ps1 - Download historical binary versions + PDBs

https://github.com/daaximus/ida-reach/

This blog contains my own research collected from the internet, along with ideas from other blogs and studies. While many parts are written in my own words, the Most sections were copied directly from external sources because they were already very well written and clearly expressed. This blog is mainly for sharing my personal notes and learning journey.

Wanna bypass chrome ABE? Read this and let the ideas flow

The definitive red team guide to understanding and bypassing Windows security controls: Windows Defender (static + AMSI + behavioral), AppLocker, WDAC, SmartScreen, ASR Rules, Credential Guard (VBS/LSAIso), Sysmon, PPL, and a comprehensive EDR deep-dive covering kernel callbacks, ETW-TI, API hooks, BYOVD, EDRKillShifter, EDRSilencer, sleep obfuscation, call stack spoofing, process injection, and the complete EDR kill chain. Every bypass mapped to MITRE ATT&CK.