Using syscalls to bypass User-land EDR hooks
Tags
attack-pattern: Data Direct Indirect Hooking - T1617 Hooking - T1179 Hooking
Show in Graph
Common Information
Type Value
UUID 6ae9134e-d475-4bc6-83bc-15c335c9e76c
Fingerprint aa3493bb2c6f1a40
Analysis status DONE
Considered CTI value 0
Text language
Published Sept. 17, 2024, 3:44 p.m.
Added to db Sept. 17, 2024, 6 p.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline Using syscalls to bypass User-land EDR hooks
Title Using syscalls to bypass User-land EDR hooks
Detected Hints/Tags/Attributes 38/1/16
Source URLs
Redirection Url
Details Source https://captain-woof.medium.com/using-syscalls-to-bypass-user-land-edr-hooks-5ee751599db4?source=rss------malware-5
URL Provider
Details Provider Source level domain
Details medium.com captain-woof.medium.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 171 Malware on Medium https://medium.com/feed/tag/malware 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 4128 
github.com
Details Domain 7 
www.geoffchappell.com
Details Domain 2 
vxug.fakedoma.in
Details Domain 208 
learn.microsoft.com
Details File 29 
www.geo
Details File 1 
ldr_data_table_entry.htm
Details File 15 
optionalheader.dat
Details File 533 
ntdll.dll
Details File 1 
hellsgate.pdf
Details Github username 1 
j00ru
Details Url 1 
https://github.com/j00ru/windows-syscalls.
Details Url 1 
https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntldr/ldr_data_table_entry.htm
Details Url 1 
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/glimpse-into-ssdt-in-windows-x64-kernel
Details Url 1 
https://vxug.fakedoma.in/papers/vxug/exclusive/hellsgate.pdf
Details Url 1 
https://github.com/j00ru/windows-syscalls
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb