Skip to main content

Overview

SysWhispers4 provides comprehensive user-mode evasion techniques, but it’s critical to understand what happens after your syscall enters the kernel. This page explains kernel-level detection mechanisms that cannot be bypassed from user-mode.
Key Principle: Once a syscall transitions to kernel mode (ring 0), user-mode code has no control over kernel telemetry and monitoring.

What is ETW-Ti?

ETW-Ti = Event Tracing for Windows - Threat Intelligence

Technical Details

  • Provider GUID: {f4e1897c-bb5d-5668-f1d8-040f4d8dd344}
  • Name: Microsoft-Windows-Threat-Intelligence
  • Location: Kernel-mode callback inside ntoskrnl.exe
  • Introduced: Windows 10 1903 (build 18362)

How It Works

Critical observation: The ETW-Ti callback executes inside the kernel after the syscall instruction completes. Your user-mode code is already in kernel mode when telemetry fires.

ETW-Ti Monitored Events

ETW-Ti logs security-relevant syscalls regardless of how they’re invoked:

Example: Memory Allocation Event

When you call:
ETW-Ti logs:
  • Process ID making the call
  • Target process (if remote)
  • Base address allocated
  • Region size
  • Protection flags (RWX is highly suspicious)
  • Call stack (user-mode portion)
  • Timestamp
You cannot prevent this log from user-mode, regardless of SysWhispers4 configuration.

What SysWhispers4 CAN Bypass

User-Mode ETW (--etw-bypass)

Target: ntdll!EtwEventWrite Technique: Patch the function to return STATUS_ACCESS_DENIED:
What this blocks:
  • User-mode ETW providers (PowerShell logging, .NET ETW, etc.)
  • Application-level telemetry
What this does NOT block:
  • ETW-Ti (kernel-mode)
  • Kernel-mode ETW providers
  • Event log writes

Why User-Mode ETW Bypass Helps

Even though it doesn’t stop ETW-Ti, patching user-mode ETW still provides value:
  1. PowerShell script block logging - Prevents command logging
  2. .NET assembly load events - Hides managed code execution
  3. BITS transfer logs - Suppresses file download telemetry
  4. WMI activity logs - Reduces lateral movement visibility

What SysWhispers4 CANNOT Bypass

Kernel ETW-Ti Callbacks

Why: Callbacks execute in kernel mode (nt!EtwTiLogXxx functions) Where they’re registered:
No user-mode code can:
  • Unhook kernel callbacks
  • Patch kernel memory (PatchGuard will BSOD)
  • Redirect kernel execution flow
  • Suppress event delivery

Kernel Callbacks (Other)

Beyond ETW-Ti, other kernel mechanisms monitor syscalls: All of these operate in kernel mode — no syscall technique can evade them.

How EDRs Use ETW-Ti

Detection Flow

  1. ETW-Ti logs event in kernel
  2. Kernel writes to event buffer
  3. EDR user-mode agent consumes events via StartTrace() / ProcessTrace()
  4. Agent correlates events:
    • Suspicious API sequences (allocate → write → protect → execute)
    • Abnormal process relationships (notepad.exe creating threads in lsass.exe)
    • Rapid successive calls (spray-and-pray injection)
  5. Agent takes action: Kill process / alert / quarantine

Example Detection Heuristic

CrowdStrike Falcon might flag this sequence within 1 second:
Your syscall method doesn’t matter — embedded, indirect, randomized, egg hunt all generate the same ETW-Ti events.

Strategies When ETW-Ti Is Active

1. Reduce Detection Score (Defense in Depth)

Even if ETW-Ti logs your syscalls, combine techniques to lower overall suspicion:
Why:
  • --stack-spoof: Call stack looks legitimate
  • --sleep-encrypt: Memory scans during sleep find encrypted gibberish
  • --obfuscate: Static analysis harder
  • --method randomized: Defeats gadget cataloging
Result: ETW-Ti sees syscalls, but other detection layers (memory scan, stack analysis, static scan) fail to correlate.

2. Behavioral Evasion

Avoid suspicious API patterns: ❌ Suspicious:
✅ Less Suspicious:
Why it helps: Correlation engines have time windows. Spreading operations over minutes reduces detection score.

3. Use Existing Executable Memory

Avoid NtAllocateVirtualMemory entirely:
Bypasses: ETW-Ti event 1 (no allocation), event 2 (no protection change) Still logged: Thread creation, but with legitimate RX memory address

4. Leverage NTFS Transactions (Doppelganging)

Advantage: NtCreateProcessEx from section doesn’t trigger “suspicious process creation” heuristics like CreateProcess with PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY.

5. Accept Detection, Optimize Speed

If you know ETW-Ti will catch you, prioritize speed over stealth:
Rationale:
  • Static resolution: ~1 µs initialization (vs. 5 ms for from_disk)
  • Embedded syscall: No gadget search overhead
  • Complete your objective before EDR agent processes ETW-Ti logs (~100-500ms latency)

Kernel-Mode Bypass Techniques

The following require kernel-level access (driver or exploit). Outside the scope of SysWhispers4.

1. Disable ETW-Ti Provider (Driver Required)

Downside: PatchGuard may detect and BSOD after ~15 minutes

2. Patch ETW-Ti Callbacks

Downside: PatchGuard detection, driver signing requirement

3. DKOM (Direct Kernel Object Manipulation)

Modify kernel structures to hide process/thread objects from enumeration:
Downside: Requires kernel driver, easy to detect via integrity checks

4. Exploit Kernel Vulnerabilities

  • CVE-2021-1732 (Win32k elevation)
  • CVE-2022-21882 (Win32k RCE)
  • Use exploit to gain kernel code execution → disable ETW-Ti
Downside: Requires 0day or unpatched system

Monitoring Your Own ETW-Ti Events

Capture Your Syscalls (Defensive Testing)

Parse Events Programmatically

Use this to:
  • See what your payload triggers
  • Tune your techniques to minimize event volume
  • Test detection bypass strategies

Real-World Impact

Products Using ETW-Ti

Detection Rates (Empirical)

Test scenario: Classic process injection (allocate → write → protect → execute) Key takeaway: User-mode techniques reduce detection score, but ETW-Ti ensures non-zero detection rate.

Recommendations

For Red Team Assessments

  1. Assume ETW-Ti is active on Windows 10 1903+
  2. Layer evasion techniques:
  3. Use behavioral evasion (staged operations, delays, legitimate patterns)
  4. Test against target EDR in lab environment first
  5. Have kernel backup plan if user-mode fails (driver, exploit)

For Blue Team / Detection Engineering

  1. Enable ETW-Ti logging on all Windows 10+ endpoints
  2. Correlate ETW-Ti events with:
    • Process creation events
    • Network connections
    • File writes
    • Authentication events
  3. Alert on suspicious sequences:
    • RWX allocations + immediate thread creation
    • Cross-process memory operations on high-value targets (lsass, winlogon)
    • Rapid syscall bursts (>100 calls/second)
  4. Baseline normal behavior to reduce false positives

For Malware Analysts

  1. Capture full ETW-Ti trace during sandbox execution
  2. Look for:
    • Syscalls from non-ntdll RIP (direct syscalls)
    • Unusual call stack patterns (missing API layers)
    • Encrypted/obfuscated code regions
  3. Correlate with other telemetry:
    • Kernel callbacks (process/thread/image)
    • File system minifilter logs
    • Network filter logs

Summary

Bottom line: SysWhispers4 maximizes user-mode evasion. For kernel-level telemetry bypass, you need kernel access.

Further Reading