Direct syscall hmm no

Direct syscall

Indirect Syscalls

Custom callstack

Different approch

https://winternl.com/detecting-manual-syscalls-from-user-mode/

https://fool.ish.wtf/2022/11/detecting-indirect-syscalls.html

https://www.crow.rip/crows-nest/mal/dev/inject/syscalls/indirect-syscalls

https://jsecurity101.medium.com/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3

https://www.countercraftsec.com/blog/detecting-malicious-artifacts-using-an-etw-consumer-in-kernel-mode/

https://winternl.com/detecting-manual-syscalls-from-user-mode/

https://www.youtube.com/watch?v=Le5GHLthnlc

https://github.com/thefLink/Hunt-Weird-Syscalls/tree/main

https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/

https://jsecurity101.medium.com/understanding-telemetry-kernel-callbacks-1a97cfcb8fb3

https://github.com/microsoft/krabsetw/tree/master

https://0xdarkvortex.dev/hiding-in-plainsight

Ressources

https://discord.gg/U23CTVJnuS

deck

By 0xkylm

Made with Slides.com

deck

  • 128

More from 0xkylm