🌀 MACARONI ROCKETS
← Back to Home All Reports GitHub

EDR Evasion & Gap Matrix — API Hook Coverage (exe capable)

Security-relevant Windows APIs: EDR-hooked tiers + unhooked-but-exec-capable. 5785 unhooked-benign APIs excluded (GUI, CRT, Qt, standard library — no discriminatory detection value).
Generated: 2026-04-06 14:45:19  |  Source: APIDifferentialAnalysis.json (5950 entries)
5785Benign APIs
Excluded
144Hooked
APIs
54Unhooked
Exec-Capable
198Total in
Matrix
Hook coverage (H rate across all 198 APIs):
CS
79%
S1
73%
MDE
58%
CB
58%
EL
68%
XDR
58%
TM
65%
H = Hooked (JMP trampoline / ETW / kernel callback) B = Behavioral only (no direct hook; AI/heuristic may detect) - = Not monitored at API level  |  HIGH = Hooked by virtually all EDRs MED = Hooked by most EDRs LOW = Hooked by some EDRs UNHOOKED-EXEC = Exec-capable, NOT hooked at API level  |  * = Not in APIDifferentialAnalysis.json dataset
| |
API Name DLL Tier Tactic Description MalCount Score CS S1 MDE CB EL XDR TM
amsiinit *amsi.dllHIGHAMSI BypassAMSI: initialize scan context00HHHBBHH
amsiopenssession *amsi.dllHIGHAMSI BypassAMSI: open scanning session00HHHBBHH
amsiscanstring *amsi.dllHIGHAMSI BypassAMSI: scan string for malware00HHHBBHH
amsiscanbuffer *amsi.dllHIGHAMSI BypassAMSI: scan memory buffer (patched by many loaders)00HHHBBHH
ntdebugactiveprocess *ntdll.dllHIGHAnti-DebugAttach debugger to process00HHHHHHH
ntqueueapcthread *ntdll.dllHIGHAPC InjectionQueue APC to target thread (earlybird / APC injection)00HHHHHHH
getprocaddresskernel32.dllHIGHAPI ResolutionResolve export address from loaded module205455 HHHHHHH
ldrgetprocedureaddressntdll.dllHIGHAPI ResolutionResolve export address (loader-level GetProcAddress)2100 HHHHHHH
sendws2_32.dllMEDC2 CommunicationsWinsock: send data to remote27299 HHHHHHH
recvws2_32.dllMEDC2 CommunicationsWinsock: receive data from remote26499 HHHHHHH
connectws2_32.dllMEDC2 CommunicationsWinsock: TCP/UDP connect26299 HHHHHHH
internetreadfilewininet.dllMEDC2 CommunicationsRead HTTP response body (C2 payload download)16899 HHHHHHH
winhttpsendrequestwinhttp.dllMEDC2 CommunicationsWinHTTP: send request5898 HHHHHHH
winhttpconnectwinhttp.dllMEDC2 CommunicationsWinHTTP: connect to server5698 HHHHHHH
winhttpopenrequestwinhttp.dllMEDC2 CommunicationsWinHTTP: open request handle5698 HHHHHHH
httpopenrequestwwininet.dllMEDC2 CommunicationsOpen HTTP request handle (Unicode)5099 HHHHHHH
internetconnectwwininet.dllMEDC2 CommunicationsOpen internet connection (Unicode)5099 HHHHHHH
httpsendrequestwwininet.dllMEDC2 CommunicationsSend HTTP request (Unicode)4699 HHHHHHH
httpopenrequestawininet.dllMEDC2 CommunicationsOpen HTTP request handle (ANSI)30100 HHHHHHH
wsasendws2_32.dllMEDC2 CommunicationsWinsock: overlapped/async send3094 HHHHHHH
internetconnectawininet.dllMEDC2 CommunicationsOpen internet connection (ANSI)30100 HHHHHHH
httpsendrequestawininet.dllMEDC2 CommunicationsSend HTTP request (ANSI)28100 HHHHHHH
wsarecvws2_32.dllMEDC2 CommunicationsWinsock: overlapped/async recv2895 HHHHHHH
wsaconnectws2_32.dllMEDC2 CommunicationsWinsock: connect to remote endpoint299 HHHHHHH
enumsystemlocaleskernel32.dllUNHOOKED-EXECCallback AbuseShellcode ptr passed as locale callback (score=100, 103 malicious samples)13598 BB----B
enumwindowsuser32.dllUNHOOKED-EXECCallback AbuseWindow enumeration callback passes shellcode pointer12697 BB----B
enumchildwindowsuser32.dllUNHOOKED-EXECCallback AbuseChild-window enumeration callback abuse12698 BB----B
enumthreadwindowsuser32.dllUNHOOKED-EXECCallback AbuseThread-window enumeration callback abuse9099 BB----B
certfindcertificateinstorecrypt32.dllUNHOOKED-EXECCallback AbuseCertificate-store enumeration callback executes shellcode4895 BB----B
enumresourcelanguageskernel32.dllUNHOOKED-EXECCallback AbuseResource-language enumeration callback abuse27100 BB----B
enumresourcenameskernel32.dllUNHOOKED-EXECCallback AbuseResource-name enumeration callback abuse20100 BB----B
enumsystemlanguagegroupskernel32.dllUNHOOKED-EXECCallback AbuseShellcode ptr passed as locale-enum callback (score=100, 16 malicious samples)16100 BB----B
enumresourcetypeskernel32.dllUNHOOKED-EXECCallback AbuseResource-type enumeration callback abuse8100 BB----B
enumuilanguageskernel32.dllUNHOOKED-EXECCallback AbuseUI-language enumeration callback abuse1100 BB----B
imageenumeratecertificates *imagehlp.dllUNHOOKED-EXECCallback AbusePE image certificate enumeration callback abuse00BB----B
enumdesktopwindows *user32.dllUNHOOKED-EXECCallback AbuseDesktop-window enumeration callback abuse00BB----B
cryptenumoidinfo *crypt32.dllUNHOOKED-EXECCallback AbuseCrypto OID enumeration callback abuse00BB----B
openclipboarduser32.dllLOWClipboard / ScreenshotOpen clipboard for read/write (data theft)20494 HBBBBBB
stretchbltgdi32.dllLOWClipboard / ScreenshotStretch/scale bitmap (screen capture)14497 HBBBBBB
bitbltgdi32.dllLOWClipboard / ScreenshotBit-block transfer (GDI screen capture)13896 HBBBBBB
getclipboarddatauser32.dllLOWClipboard / ScreenshotRead clipboard contents (credential theft)7298 HBBBBBB
setclipboarddatauser32.dllLOWClipboard / ScreenshotWrite to clipboard (clipboard hijack / crypto address swap)7195 HBBBBBB
_cordllmainmscoree.dllUNHOOKED-EXECCOM / CLR HostingCLR DLL entry point30100 BBHBBBB
clrcreateinstancemscoree.dllUNHOOKED-EXECCOM / CLR HostingCreate CLR instance for in-process .NET hosting2100 BBHBBBB
corexemain *mscoree.dllUNHOOKED-EXECCOM / CLR HostingCLR EXE entry point00BBHBBBB
iclrmetahost *mscoree.dllUNHOOKED-EXECCOM / CLR HostingHost .NET CLR in native process (SharpPick, execute-assembly)00BBHBBBB
idispatch_invoke *ole32.dllUNHOOKED-EXECCOM / CLR HostingIDispatch::Invoke -- execute via COM automation (VBScript, JScript engines)00BBHBBBB
cocreateinstanceole32.dllMEDCOM ExecutionInstantiate COM object (fileless execution via COM)31289 HHBBBHB
coinitializeexole32.dllMEDCOM ExecutionInitialize COM apartment model11492 HHBBBHB
credwritew *advapi32.dllMEDCredential AccessWrite credential to vault (Unicode)00HHHHHHH
credreadw *advapi32.dllMEDCredential AccessRead stored Windows credential (Unicode)00HHHHHHH
credwritea *advapi32.dllMEDCredential AccessWrite credential to vault (ANSI)00HHHHHHH
credreada *advapi32.dllMEDCredential AccessRead stored Windows credential (ANSI)00HHHHHHH
lsaopenpolicyadvapi32.dllMEDCredential DumpingOpen LSA policy (Mimikatz, Kerberoast)3699 HHHHHHH
minidumpwritedumpdbghelp.dllMEDCredential DumpingWrite process minidump -- used for LSASS credential dump1899 HHHHHHH
samopensamserver *samlib.dllMEDCredential DumpingOpen SAM server for NTLM hash extraction00HHHHHHH
samopenpassword *samlib.dllMEDCredential DumpingOpen SAM password object00HHHHHHH
logonuseraadvapi32.dllMEDCredential UseLog on user with supplied credentials (ANSI)3599 HHHHHHH
logonuserwadvapi32.dllMEDCredential UseLog on user with supplied credentials (Unicode)3599 HHHHHHH
ntterminateprocessntdll.dllHIGHDefense EvasionTerminate process (kill AV/EDR)26100 HHHHHHH
ntterminatethread *ntdll.dllHIGHDefense EvasionTerminate thread00HHHHHHH
createthreadkernel32.dllUNHOOKED-EXECDirect ThreadCreateThread local -- some EDRs only instrument CreateRemoteThread86271 HHHHHHH
rtlcreatethread *ntdll.dllUNHOOKED-EXECDirect ThreadRtl helper for thread creation -- sometimes bypasses CreateRemoteThread hook00HHHHHHH
loadlibraryakernel32.dllHIGHDLL InjectionLoad DLL by path name (ANSI)60478 HHHHHHH
loadlibraryexwkernel32.dllHIGHDLL InjectionLoad DLL with flags (Unicode)51970 HHHHHHH
loadlibrarywkernel32.dllHIGHDLL InjectionLoad DLL by path name (Unicode)40273 HHHHHHH
loadlibraryexakernel32.dllHIGHDLL InjectionLoad DLL with flags (ANSI)6987 HHHHHHH
ldrloaddllntdll.dllHIGHDLL InjectionLoader-level DLL load (used in manual mapping)2100 HHHHHHH
ntloaddll *ntdll.dllHIGHDLL InjectionLoad DLL into process address space00HHHHHHH
ldrunloaddll *ntdll.dllHIGHDLL InjectionUnload DLL via loader00HHHHHHH
setdlldirectorywkernel32.dllUNHOOKED-EXECDLL Load IndirectOverride DLL search directory for sideloading1197 BB-----
loadpackagedlibrary *kernel32.dllUNHOOKED-EXECDLL Load IndirectLoad DLL from app package (often unmonitored LoadLibrary path)00BB-----
adddlldirectory *kernel32.dllUNHOOKED-EXECDLL Load IndirectAdd DLL search directory (DLL search order hijack)00BB-----
getaddrinfows2_32.dllMEDDNS ResolutionResolve hostname (C2 beacon target)7598 HHHHHHH
getaddressinfo *ws2_32.dllMEDDNS ResolutionResolve hostname (modern getaddrinfo variant)00HHHHHHH
switchtofiberkernel32.dllUNHOOKED-EXECFiber ExecutionSwitch execution to attacker fiber (no new thread, no hook)3098 BB--B--
convertthreadtofiberkernel32.dllUNHOOKED-EXECFiber ExecutionConvert calling thread to fiber (fiber exec setup)2299 BB--B--
createfiberkernel32.dllUNHOOKED-EXECFiber ExecutionCreate fiber pointed at shellcode; executes in-thread without CreateThread hook2099 BB--B--
writefilekernel32.dllLOWFile OperationsWrite to file/device (ransomware encrypt)166466 HHBHHBH
readfilekernel32.dllLOWFile OperationsRead from file/device105273 HHBHHBH
createfilewkernel32.dllLOWFile OperationsCreate/open file handle (Unicode)63171 HHBHHBH
createfileakernel32.dllLOWFile OperationsCreate/open file handle (ANSI)35982 HHBHHBH
deletefilewkernel32.dllLOWFile OperationsDelete file (Unicode)21281 HHBHHBH
deletefileakernel32.dllLOWFile OperationsDelete file (ANSI) -- ransomware shadow deletion19091 HHBHHBH
copyfilekernel32.dllLOWFile OperationsCopy file (exfil staging)17198 HHBHHBH
setfileattributeswkernel32.dllLOWFile OperationsSet file attributes (Unicode)12187 HHBHHBH
setfileattributesakernel32.dllLOWFile OperationsSet file attributes (ANSI)7399 HHBHHBH
movefilewkernel32.dllLOWFile OperationsMove/rename file (Unicode)7391 HHBHHBH
movefileakernel32.dllLOWFile OperationsMove/rename file (ANSI)3398 HHBHHBH
copyfileexkernel32.dllLOWFile OperationsCopy file with progress callback32100 HHBHHBH
ntcreatefilentdll.dllLOWFile OperationsNT: create/open file object (syscall path)899 HHBHHBH
ntwritefilentdll.dllLOWFile OperationsNT: write file via syscall699 HHBHHBH
ntreadfilentdll.dllLOWFile OperationsNT: read file via syscall499 HHBHHBH
ntdeletefile *ntdll.dllLOWFile OperationsNT: delete file via syscall00HHBHHBH
mapviewoffilekernel32.dllUNHOOKED-EXECFile-Backed MappingMap section into process -- executable pages without VirtualAlloc24886 HH-HHHH
createfilemappingkernel32.dllUNHOOKED-EXECFile-Backed MappingCreate file-backed section object (module stomping)15294 HH-HHHH
mapviewoffileexkernel32.dllUNHOOKED-EXECFile-Backed MappingMap section at specified base address297 HH-HHHH
heapallockernel32.dllUNHOOKED-EXECHeap StagingAllocate from heap (not VirtualAlloc -- often unhooked)142077 -------
heapcreatekernel32.dllUNHOOKED-EXECHeap StagingCreate private heap for shellcode staging (avoids VirtualAlloc hook)47690 -------
localallockernel32.dllUNHOOKED-EXECHeap StagingLocal heap allocation for shellcode staging44689 -------
globalallockernel32.dllUNHOOKED-EXECHeap StagingGlobal heap allocation for shellcode staging35491 -------
unhookwindowshookexuser32.dllMEDKeyloggingRemove installed hook8297 HHHBBHH
setwindowshookexwuser32.dllMEDKeyloggingInstall keyboard/mouse hook for credential capture (Unicode)2598 HHHBBHH
setwindowshookexauser32.dllMEDKeyloggingInstall keyboard/mouse hook for credential capture (ANSI)1799 HHHBBHH
readprocessmemorykernel32.dllHIGHMemory AccessRead from remote process memory16295 HHHHHHH
ntreadvirtualmemoryntdll.dllHIGHMemory AccessRead virtual memory from target process2100 HHHHHHH
virtualqueryexkernel32.dllMEDMemory EnumerationQuery virtual memory in remote process7296 HHHHHHH
ntqueryvirtualmemory *ntdll.dllMEDMemory EnumerationQuery virtual memory regions (EDR detection avoidance)00HHHHHHH
virtualallockernel32.dllHIGHMemory InjectionAllocate virtual memory (kernel32 thunk over NtAllocate)100680 HHHHHHH
virtualprotectkernel32.dllHIGHMemory InjectionChange memory page protection64884 HHHHHHH
writeprocessmemorykernel32.dllHIGHMemory InjectionWrite to remote process memory22497 HHHHHHH
virtualallocexkernel32.dllHIGHMemory InjectionAllocate in remote process address space20295 HHHHHHH
virtualprotectexkernel32.dllHIGHMemory InjectionChange page protection in remote process5097 HHHHHHH
ntallocatevirtualmemoryntdll.dllHIGHMemory InjectionAllocate virtual memory in target process4100 HHHHHHH
ntwritevirtualmemoryntdll.dllHIGHMemory InjectionWrite to virtual memory of target process2100 HHHHHHH
ntallocatevirtualmemoryex *ntdll.dllHIGHMemory InjectionExtended VirtualAlloc via NtAllocateVirtualMemoryEx (Win10 1803+)00HHHHHHH
ntprotectvirtualmemory *ntdll.dllHIGHMemory InjectionChange page protection (set RWX for shellcode)00HHHHHHH
rtlzeromemory *ntdll.dllUNHOOKED-EXECMemory PrimitivesZero memory (wipe payload evidence)00-------
rtlfilltilememory *ntdll.dllUNHOOKED-EXECMemory PrimitivesFill memory tiles (evasive copy pattern)00-------
rtlmovememory *ntdll.dllUNHOOKED-EXECMemory PrimitivesCopy shellcode bytes -- bypasses WriteProcessMemory hook00-------
rtlcopymemory *ntdll.dllUNHOOKED-EXECMemory Primitivesmemcpy alias used to stage shellcode00-------
connectnamedpipekernel32.dllLOWNamed Pipe / IPCWait for named pipe client connection6090 HHBBHBB
createnamedpipeakernel32.dllLOWNamed Pipe / IPCCreate named pipe (ANSI) -- lateral movement / token theft2496 HHBBHBB
createnamedpipewkernel32.dllLOWNamed Pipe / IPCCreate named pipe (Unicode)1791 HHBBHBB
ntcreatemailslotfile *ntdll.dllLOWNamed Pipe / IPCNT: create mailslot (IPC)00HHBBHBB
ntcreatenamedpipefile *ntdll.dllLOWNamed Pipe / IPCNT: create named pipe via syscall00HHBBHBB
adjusttokenprivilegesadvapi32.dllMEDPrivilege EscalationEnable/disable token privileges (SeDebugPrivilege)28492 HHHHHHH
createtoken *ntdll.dllMEDPrivilege EscalationCreate a new access token00HHHHHHH
ntadjustprivilegestoken *ntdll.dllMEDPrivilege EscalationNT: adjust token privileges directly00HHHHHHH
openprocesskernel32.dllHIGHProcess AccessOpen handle to target process40085 HHHHHHH
ntopenprocess *ntdll.dllHIGHProcess AccessOpen handle to target process00HHHHHHH
ntcreateuserprocess *ntdll.dllMEDProcess CreationNT: create user process (modern Vista+ path)00HHHHHHH
ntcreateprocess *ntdll.dllMEDProcess CreationNT: create process (legacy syscall)00HHHHHHH
ntcreateprocessex *ntdll.dllMEDProcess CreationNT: create process (extended, pre-Vista path)00HHHHHHH
createprocesswkernel32.dllHIGHProcess CreationCreate new process (Unicode)18281 HHHHHHH
createprocessakernel32.dllHIGHProcess CreationCreate new process (ANSI)16394 HHHHHHH
createprocesswithlogonwadvapi32.dllHIGHProcess CreationSpawn process with alternate credentials55100 HHHHHHH
createprocessasuserwadvapi32.dllHIGHProcess CreationSpawn process as different user5296 HHHHHHH
createprocesswithtokenadvapi32.dllHIGHProcess CreationSpawn process with stolen token6100 HHHHHHH
createtoolhelp32snapshotkernel32.dllLOWProcess EnumerationSnapshot process/thread/module list (initial recon)26693 HHBBHBB
process32nextkernel32.dllLOWProcess EnumerationIterate process snapshot14998 HHBBHBB
process32firstkernel32.dllLOWProcess EnumerationFirst entry from process snapshot14498 HHBBHBB
module32firstkernel32.dllLOWProcess EnumerationFirst loaded module entry (find ntdll base for syscalls)3599 HHBBHBB
ntqueryinformationprocessntdll.dllLOWProcess EnumerationQuery per-process info (read PEB, check debugger)3498 HHBBHBB
ntquerysysteminformationntdll.dllLOWProcess EnumerationQuery system-wide info (running process list for EDR scanning)2899 HHBBHBB
module32nextkernel32.dllLOWProcess EnumerationIterate loaded modules2199 HHBBHBB
thread32nextkernel32.dllLOWProcess EnumerationIterate thread snapshot1499 HHBBHBB
thread32firstkernel32.dllLOWProcess EnumerationFirst entry from thread snapshot1299 HHBBHBB
ntqueryinformationthreadntdll.dllLOWProcess EnumerationQuery per-thread info299 HHBBHBB
ntunmapviewofsectionntdll.dllHIGHProcess HollowingUnmap section from process (hollowing setup)4100 HHHHHHH
rtlcreateprocessparametersex *ntdll.dllHIGHProcess HollowingBuild process parameters block (hollowing / ghosting)00HHHHHHH
regsetvalueexaadvapi32.dllMEDRegistry PersistenceSet registry value (ANSI)11996 HHHHHHH
regsetvalueexwadvapi32.dllMEDRegistry PersistenceSet registry value (Unicode)10991 HHHHHHH
regcreatekeyexwadvapi32.dllMEDRegistry PersistenceCreate registry key extended (Unicode)8491 HHHHHHH
regcreatekeyexaadvapi32.dllMEDRegistry PersistenceCreate registry key extended (ANSI)8297 HHHHHHH
regdeletevaluewadvapi32.dllMEDRegistry PersistenceDelete registry value (Unicode)7593 HHHHHHH
regdeletevalueaadvapi32.dllMEDRegistry PersistenceDelete registry value (ANSI)6598 HHHHHHH
regcreatekeywadvapi32.dllMEDRegistry PersistenceCreate registry key (Unicode)1799 HHHHHHH
regcreatekeyaadvapi32.dllMEDRegistry PersistenceCreate registry key (ANSI)999 HHHHHHH
ntcreatesectionntdll.dllHIGHSection InjectionCreate shared memory section object6100 HHHHHHH
ntmapviewofsectionntdll.dllHIGHSection InjectionMap shared section into target process6100 HHHHHHH
ntmapviewofsectionex *ntdll.dllHIGHSection InjectionExtended section mapping (Win10 1803+)00HHHHHHH
openservicewadvapi32.dllMEDService PersistenceOpen handle to existing service (Unicode)3996 HHHBHHH
createservicewadvapi32.dllMEDService PersistenceCreate new Windows service for persistence (Unicode)3497 HHHBHHH
openserviceaadvapi32.dllMEDService PersistenceOpen handle to existing service (ANSI)2198 HHHBHHH
createserviceaadvapi32.dllMEDService PersistenceCreate new Windows service for persistence (ANSI)1599 HHHBHHH
changeserviceconfigaadvapi32.dllMEDService PersistenceModify service binary path (ANSI)1398 HHHBHHH
changeserviceconfigwadvapi32.dllMEDService PersistenceModify service binary path (Unicode)1398 HHHBHHH
ntopenthread *ntdll.dllHIGHThread AccessOpen handle to target thread00HHHHHHH
getthreadcontextkernel32.dllMEDThread HijackingGet thread registers (hollowing / hijacking setup)24487 HHHHHHH
setthreadcontextkernel32.dllMEDThread HijackingSet thread context -- redirect instruction pointer22893 HHHHHHH
ntsetcontextthreadntdll.dllHIGHThread HijackingSet thread context (redirect RIP/EIP to shellcode)2100 HHHHHHH
ntresumethreadntdll.dllHIGHThread HijackingResume thread after injection2100 HHHHHHH
ntsuspendthread *ntdll.dllHIGHThread HijackingSuspend thread for injection or hijack00HHHHHHH
createremotethreadkernel32.dllHIGHThread InjectionCreate execution thread in remote process9295 HHHHHHH
rtlcreateuserthreadntdll.dllHIGHThread InjectionCreate remote thread via Rtl helper24100 HHHHHHH
createremotethreadexkernel32.dllHIGHThread InjectionCreate remote thread with extended attributes2100 HHHHHHH
ntcreatethreadex *ntdll.dllHIGHThread InjectionCreate thread in target process (primary syscall)00HHHHHHH
ntcreatethread *ntdll.dllHIGHThread InjectionCreate thread (legacy pre-Vista syscall)00HHHHHHH
createthreadpoolworkkernel32.dllUNHOOKED-EXECThread PoolCreate thread pool work item with shellcode callback2699 HB--BBB
submitthreadpoolworkkernel32.dllUNHOOKED-EXECThread PoolSubmit pool work item (trigger shellcode execution)2699 HB--BBB
queueuserworkitemkernel32.dllUNHOOKED-EXECThread PoolQueue shellcode callback to thread pool -- avoids CreateRemoteThread1099 HB--BBB
createthreadpoolwaitkernel32.dllUNHOOKED-EXECThread PoolPool wait object with shellcode callback on signal2100 HB--BBB
setthreadpoolwaitkernel32.dllUNHOOKED-EXECThread PoolArm pool wait object (triggers shellcode)2100 HB--BBB
setthreadpooltimer *kernel32.dllUNHOOKED-EXECThread PoolArm pool timer to trigger shellcode callback00HB--BBB
createthreadpooltimer *kernel32.dllUNHOOKED-EXECThread PoolPool timer with shellcode callback; fires on schedule00HB--BBB
settimeruser32.dllUNHOOKED-EXECTimer CallbacksWin32 timer with WndProc callback (runs in message loop, no new thread)20692 BB-----
setwaitabletimerkernel32.dllUNHOOKED-EXECTimer CallbacksSet waitable timer with APC callback pointing at shellcode17291 BB-----
createtimerqueuetimerkernel32.dllUNHOOKED-EXECTimer CallbacksTimer queue callback executes shellcode when fired5099 BB-----
createwaitabletimerkernel32.dllUNHOOKED-EXECTimer CallbacksKernel waitable timer object1999 BB-----
rtlregisterwait *ntdll.dllUNHOOKED-EXECTimer CallbacksNT wait registration with callback (no CreateThread)00BB-----
duplicatetokenexadvapi32.dllMEDToken ImpersonationDuplicate token with new impersonation level11898 HHHHHHH
impersonateloggedonuseradvapi32.dllMEDToken ImpersonationImpersonate a logged-on user token3898 HHHHHHH
dispatchmessageuser32.dllUNHOOKED-EXECWindow Proc / MessageDispatch message to window procedure19396 B------
sendmessageuser32.dllUNHOOKED-EXECWindow Proc / MessageSynchronous message dispatch through WndProc17197 B------
postmessageuser32.dllUNHOOKED-EXECWindow Proc / MessageAsync message dispatch through WndProc12998 B------
callwindowprocuser32.dllUNHOOKED-EXECWindow Proc / MessageExecute via window procedure pointer -- shellcode masquerades as WndProc12598 B------
iwbemservices_execquery *wbemdisp.dllUNHOOKED-EXECWMI / DCOMIWbemServices::ExecQuery -- fileless WMI-based lateral movement / exec00HHHBBHH
EDR Hook Status Disclaimer: Hook coverage is based on publicly available research (MDSec EDR hook analysis, SylantStrike, Elastic Swissknife, ired.team, Sektor7 RED TEAM Operator, AV-Comparatives, MITRE ATT&CK T1055.*) and represents best estimates as of the report date. EDR vendors continuously update their hook sets; actual coverage may differ.  |  CS = CrowdStrike Falcon  |  S1 = SentinelOne  |  MDE = Microsoft Defender for Endpoint  |  CB = VMware Carbon Black  |  EL = Elastic Endpoint  |  XDR = Palo Alto Cortex XDR  |  TM = Trend Micro Vision One / Apex One

Generated by Loaded Potato / lasersharkkiller  •  EDR Evasion & Gap Matrix (api_call_matrix.ps1)