Overview
SysWhispers4 provides comprehensive user-mode evasion techniques, but it’s critical to understand what happens after your syscall enters the kernel. This page explains kernel-level detection mechanisms that cannot be bypassed from user-mode.What is ETW-Ti?
ETW-Ti = Event Tracing for Windows - Threat IntelligenceTechnical Details
- Provider GUID:
{f4e1897c-bb5d-5668-f1d8-040f4d8dd344} - Name:
Microsoft-Windows-Threat-Intelligence - Location: Kernel-mode callback inside
ntoskrnl.exe - Introduced: Windows 10 1903 (build 18362)
How It Works
Critical observation: The ETW-Ti callback executes inside the kernel after the syscall instruction completes. Your user-mode code is already in kernel mode when telemetry fires.ETW-Ti Monitored Events
ETW-Ti logs security-relevant syscalls regardless of how they’re invoked:Example: Memory Allocation Event
When you call:- Process ID making the call
- Target process (if remote)
- Base address allocated
- Region size
- Protection flags (RWX is highly suspicious)
- Call stack (user-mode portion)
- Timestamp
What SysWhispers4 CAN Bypass
User-Mode ETW (--etw-bypass)
Target: ntdll!EtwEventWrite
Technique: Patch the function to return STATUS_ACCESS_DENIED:
- User-mode ETW providers (PowerShell logging, .NET ETW, etc.)
- Application-level telemetry
- ETW-Ti (kernel-mode)
- Kernel-mode ETW providers
- Event log writes
Why User-Mode ETW Bypass Helps
Even though it doesn’t stop ETW-Ti, patching user-mode ETW still provides value:- PowerShell script block logging - Prevents command logging
- .NET assembly load events - Hides managed code execution
- BITS transfer logs - Suppresses file download telemetry
- WMI activity logs - Reduces lateral movement visibility
What SysWhispers4 CANNOT Bypass
Kernel ETW-Ti Callbacks
Why: Callbacks execute in kernel mode (nt!EtwTiLogXxx functions)
Where they’re registered:
- Unhook kernel callbacks
- Patch kernel memory (PatchGuard will BSOD)
- Redirect kernel execution flow
- Suppress event delivery
Kernel Callbacks (Other)
Beyond ETW-Ti, other kernel mechanisms monitor syscalls:
All of these operate in kernel mode — no syscall technique can evade them.
How EDRs Use ETW-Ti
Detection Flow
- ETW-Ti logs event in kernel
- Kernel writes to event buffer
- EDR user-mode agent consumes events via
StartTrace()/ProcessTrace() - Agent correlates events:
- Suspicious API sequences (allocate → write → protect → execute)
- Abnormal process relationships (notepad.exe creating threads in lsass.exe)
- Rapid successive calls (spray-and-pray injection)
- Agent takes action: Kill process / alert / quarantine
Example Detection Heuristic
CrowdStrike Falcon might flag this sequence within 1 second:Strategies When ETW-Ti Is Active
1. Reduce Detection Score (Defense in Depth)
Even if ETW-Ti logs your syscalls, combine techniques to lower overall suspicion:--stack-spoof: Call stack looks legitimate--sleep-encrypt: Memory scans during sleep find encrypted gibberish--obfuscate: Static analysis harder--method randomized: Defeats gadget cataloging
2. Behavioral Evasion
Avoid suspicious API patterns: ❌ Suspicious:3. Use Existing Executable Memory
AvoidNtAllocateVirtualMemory entirely:
4. Leverage NTFS Transactions (Doppelganging)
NtCreateProcessEx from section doesn’t trigger “suspicious process creation” heuristics like CreateProcess with PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY.
5. Accept Detection, Optimize Speed
If you know ETW-Ti will catch you, prioritize speed over stealth:- Static resolution: ~1 µs initialization (vs. 5 ms for
from_disk) - Embedded syscall: No gadget search overhead
- Complete your objective before EDR agent processes ETW-Ti logs (~100-500ms latency)
Kernel-Mode Bypass Techniques
1. Disable ETW-Ti Provider (Driver Required)
2. Patch ETW-Ti Callbacks
3. DKOM (Direct Kernel Object Manipulation)
Modify kernel structures to hide process/thread objects from enumeration:4. Exploit Kernel Vulnerabilities
- CVE-2021-1732 (Win32k elevation)
- CVE-2022-21882 (Win32k RCE)
- Use exploit to gain kernel code execution → disable ETW-Ti
Monitoring Your Own ETW-Ti Events
Capture Your Syscalls (Defensive Testing)
Parse Events Programmatically
- See what your payload triggers
- Tune your techniques to minimize event volume
- Test detection bypass strategies
Real-World Impact
Products Using ETW-Ti
Detection Rates (Empirical)
Test scenario: Classic process injection (allocate → write → protect → execute)
Key takeaway: User-mode techniques reduce detection score, but ETW-Ti ensures non-zero detection rate.
Recommendations
For Red Team Assessments
- Assume ETW-Ti is active on Windows 10 1903+
- Layer evasion techniques:
- Use behavioral evasion (staged operations, delays, legitimate patterns)
- Test against target EDR in lab environment first
- Have kernel backup plan if user-mode fails (driver, exploit)
For Blue Team / Detection Engineering
- Enable ETW-Ti logging on all Windows 10+ endpoints
- Correlate ETW-Ti events with:
- Process creation events
- Network connections
- File writes
- Authentication events
- Alert on suspicious sequences:
- RWX allocations + immediate thread creation
- Cross-process memory operations on high-value targets (lsass, winlogon)
- Rapid syscall bursts (>100 calls/second)
- Baseline normal behavior to reduce false positives
For Malware Analysts
- Capture full ETW-Ti trace during sandbox execution
- Look for:
- Syscalls from non-ntdll RIP (direct syscalls)
- Unusual call stack patterns (missing API layers)
- Encrypted/obfuscated code regions
- Correlate with other telemetry:
- Kernel callbacks (process/thread/image)
- File system minifilter logs
- Network filter logs
Summary
Bottom line: SysWhispers4 maximizes user-mode evasion. For kernel-level telemetry bypass, you need kernel access.
