Pentera Labs showed how malware can evade Endpoint Detection and Response by bypassing API hooks through direct autonomous syscalls. Instead of relying on hooked NTDLL functions, attackers replicate syscall logic in assembly, invoking unmonitored kernel code. This allows stealthy code injection and execution of tools like Mimikatz without triggering behavioral alerts. They also demonstrated injection redirection to mask API calls and detailed methods like SSDT index parsing, call gate selection, and calling convention handling. Defenses include monitoring suspicious NTDLL mapping, call stack anomalies, and leveraging Threat Intelligence ETW to catch hidden syscall activity.

Join for free to read