SCANNER DOWN: Three Ways We Silenced AMSI and Danced Past MDE + ATP + WDAC & FALCON

This talk is not a slide deck full of CVEs. It's a real story — three environments, three endpoint protection stacks, and what happened when a red team went up against each of them and refused to quit.

Chapter 1 — MDE + ATP: A custom native loader (diaghost.exe) using indirect syscalls, djb2-based export resolution, and an AmsiOpenSession stomp that forces AMSI to believe it never initialized. Invoke-Mimikatz ran clean. Zero MDE alerts.

Chapter 2 — MDE + ATP + WDAC: Every unsigned binary blocked before execution. We hunted the WDAC policy, found Python whitelisted, loaded the CLR via pythonnet, and flipped amsiInitFailed using pure .NET reflection — no VirtualProtect, no NtProtect, nothing for WDAC to catch.

Chapter 3 — CrowdStrike Falcon: ntdll userland unhooking via chunked disk-image restore, EtwEventWrite patching to blind behavioral telemetry, XOR-obfuscated strings, and direct syscalls — combined into a single binary (cisoservice.exe) that injected and executed without triggering quarantine or alert.

Every chapter includes actual PoC code, architecture diagrams, failed attempts documented in detail, and explicit detection opportunities for defenders.