Stealth Syscall Execution: Bypassing ETW, Sysmon, and EDR Detection
- Apr 10, 2025
- 6 min read
Updated: 1 day ago
Stealth Syscalls: Because Life's Too Short to Argue with an Angry EDR!
Introduction to Stealth Syscalls
System calls (syscalls) serve as the bridge between user-mode processes and the Windows kernel. They facilitate crucial tasks such as memory management, file operations, and process creation. Security tools like Event Tracing for Windows (ETW), Sysmon, and debuggers such as x64dbg and WinDbg actively monitor these interactions to detect malicious or anomalous syscall execution.
The Problem: How Security Tools Detect Syscalls
When a syscall is executed, security products like EDR can:
Trace the call stack to see which function invoked it.
Monitor ETW events that log direct system call invocations.
Hook into syscalls to block or detect unauthorized behavior.
The Solution: Stealth Syscall Execution Techniques
Attackers often use stealth syscall execution techniques to evade detection.
The cyber espionage group APT41 has been observed utilizing call stack spoofing techniques to conceal their malicious activities. In an analysis, malware associated with APT41 constructed a fake call stack to mimic legitimate operations, thus evading Endpoint Detection and Response (EDR) systems.
Some malware variants disable ETW by patching functions like EtwEventWrite, effectively preventing logging of events that could lead to detection. This technique has been documented repeatedly.
Adversaries hook Event Tracing for Windows (ETW) and Sysmon APIs to evade detection, preventing syscall logging altogether. Such tactics fall under the MITRE ATT&CK technique T1562.001: Impair Defenses: Disable or Modify Tools.
Case Study: Lumma Stealer
This investigation shows how malware like Lumma Stealer utilizes direct syscalls to perform malicious tasks, all while avoiding detection from traditional security measures.
In this comprehensive deep dive, we’ll analyze normal vs. stealthy syscall execution, delve into detection mechanisms, and explore advanced evasion techniques.
Understanding Call Stack Tracing and Its Importance
A call stack tracks function calls leading to a specific syscall. In cybersecurity, analyzing call stacks is vital for effective threat detection and forensic analysis. Security tools utilize call stack tracing to identify:
Identifying the calling function: This determines which function triggered the syscall, whether from a legitimate Windows API function from ntdll.dll or potentially malicious shellcode.
Detecting suspicious origins: This assesses if the syscall originated from unusual or suspicious sources, indicating malicious activity.
Validating normal behavior: Comparing the observed call stack against expected patterns of typical Windows operations helps pinpoint anomalies indicative of compromise or exploitation attempts.
How Security Tools Use Call Stack For Tracing
Understanding stealth syscall execution involves knowing how security tools analyze syscall behavior to create effective detections. The typical points of interest include:
Sysmon & ETW monitor stacks to identify suspicious execution patterns.
Debuggers like x64dbg display the call stack while stepping through syscalls.
EDR solutions use AI models to detect anomalies in syscall execution.
Normal vs. Suspicious Stack Trace: Key Differences
Execution Type | Call Stack Behavior | Detection Risk |
|---|---|---|
Legitimate | kernel32.dll → ntdll.dll → syscall | Low |
Suspicious | unknown memory → ntdll.dll → syscall | Medium |
Malicious | shellcode region → syscall | High |
If a function is missing from the stack or originates from an unknown memory region, it raises red flags!
Normal Syscall Workflow (Easily Detectable)
Code: Standard Syscall Execution
Detection Results: How Security Tools Catch Normal Syscalls
Security Method | Can Detect? | Notes |
|---|---|---|
ETW (Event Tracing for Windows) | Yes | Direct syscall logging |
Sysmon (Event ID 10) | Yes | Raw syscall monitoring |
x64dbg (Debugger) | Yes | Call stack trace shows syscall made |
Advanced Stealth Code Execution
Key Enhancements In Our Stealth Code
Heap-based Encrypted Syscalls
Hardware Breakpoint Spoofing
Syscall Obfuscation with Runtime Encryption
True Stack Spoofing via VEH (Vectored Exception Handling)
Stealthy ETW Logging Disablement
These advanced techniques together ensure minimal visibility from security products, making analysis and detection particularly challenging!
Code: Advanced Stealth Execution
Breaking Down the Bypass Techniques: Advanced Stealth Execution Techniques
In modern cybersecurity, stealth execution is critical for evading detection by advanced security measures such as Endpoint Detection and Response (EDR), Antivirus Engines, and dynamic analysis systems. This section analyzes each stealth technique implemented, including relevant code snippets and descriptions.
1. Heap-based Encrypted Indirect Syscalls
Objective:
Execute Windows system calls indirectly via dynamically allocated heap memory, avoiding direct calls to ntdll.dll. This enhances stealth and evasion, reducing detection by security tools that monitor direct interactions.
Key Benefits:
System calls are dynamically resolved at runtime, complicating detection and analysis.
RWX heap allocations obfuscate executable memory.
Adapts to runtime conditions, optimizing performance.
Reference Code Snippet:
Below is a summary of the key steps in the implementation:
Step | Action Taken | Reason |
|---|---|---|
1 | Resolve syscall dynamically at runtime. | Avoid static syscall detection. |
2 | Encrypt syscall stub using XOR cipher. | Prevent memory scanners. |
3 | Allocate executable memory on heap. | Avoid standard DLL execution. |
4 | Decrypt stub just before execution. | Ensure runtime stealth execution. |
2. Hardware Breakpoint Spoofing
Objective:
Clear debug registers Dr0 through Dr7 to evade detection by hardware breakpoint-based debuggers.
Key Benefits:
Avoid detection by advanced debuggers.
Makes it harder for attackers to understand program workings.
Reference Code Snippet:
This method removes pre-set breakpoints, complicating analysis and protecting software integrity.
3. Syscall Obfuscation with Runtime Encryption
Objective:
Implement robust encryption and obfuscation strategies for syscalls within software applications.
Key Benefits:
Encrypting syscalls renders static analysis tools ineffective.
Memory scanners become less effective against encrypted syscalls.
Reference Code Snippet:
Encrypt syscall stubs using XOR at compile-time or runtime.
Decrypt just before execution.
4. True Stack Spoofing via VEH
Objective:
Obscure the call stack using a Vectored Exception Handler (VEH).
Key Benefits:
Prevents accurate stack unwinding, complicating analysis.
Thwarts debugging by misleading the call stack.
Reference VEH Handler Code Snippet:
Key steps in this method include intercepting exceptions and modifying the call stack to redirect execution.
5. Stealthy ETW Logging Disablement
Objective:
Patch the NtTraceEvent function to disable Event Tracing for Windows (ETW).
Key Benefits:
Prevents system-wide logging of suspicious activities.
Reduces exposure to security audits or real-time monitoring.
ETW Patch Code:
Final Thoughts on Stealth Approach
The techniques we discussed increase stealth significantly. Each contributes complexity for defenders, creating a robust, evasive payload. Understanding Windows internals is critical for implementing these techniques effectively. This knowledge empowers security professionals to better detect and defend against advanced threats.
What's Next?
Deeper Dive into Advanced Shellcode Execution Techniques
Understanding these technical techniques is crucial for mastering Red Team Operations. We will explore essential concepts that strengthen your red team engagements.
Explaining Key Concepts
Let's break down each advanced technique used in our shellcode injector.
1. Direct Syscall Execution from Heap Memory
What Is Direct Syscall Execution?
Modern security products monitor standard Windows API calls. By directly calling syscalls instead of user-mode APIs, attackers can bypass user-mode hooks placed by EDRs and AV solutions.
2. Disabling ETW Logging (Event Tracing for Windows)
ETW is a powerful logging mechanism in Windows OS. Disabling ETW prevents defenders from capturing malicious actions, enhancing stealth.
3. Hardware Breakpoint Clearing
Hardware breakpoints pause execution at specific locations. Clearing these breakpoints ensures no debugger intercepts your execution flow.
4. True Stack Spoofing via VEH (Vectored Exception Handler)
This technique obscures your function call stack to prevent effective memory inspection by defensive products.
Importance of Advanced Techniques in a Red Team Engagement
Red team exercises require stealthy techniques to simulate advanced persistent threats effectively. These methods help assess organizational defenses and improve security posture.
Shellcode Executor Code: Bringing It All Together
Executing the Shellcode
After successful compilation, run the executable by specifying the shellcode file as an argument. This will load the provided shellcode and execute the payload, creating a session within your Command & Control (C2) infrastructure.
Stealth: An Ever-Evolving Battle in Cybersecurity
It’s critical to remember that no stealth technique remains undetectable indefinitely. Security solutions proactively evolve. Techniques that work today may be detectable tomorrow.
The methods we've explored, while powerful, are subject to constant revision. Community contributions and feedback can help enhance cybersecurity defenses. Please comment below with any insights. Stay tuned for our exploration of new stealth techniques in future blogs!
References
Register for instructor-led online courses today!
Â
Check out our self-paced learning paths!
Â
Explore our bundled Pricing & Plans for cost-effective options! Buy a course subscription to learn more, hands-on labs and expert-led training included. https://www.darkrelay.com/plans-pricing
Â
Contact us for custom pentesting needs at: info@darkrelay.com or WhatsApp.
Â