Endpoint Detection and Response (EDR) solutions have become a cornerstone in the cybersecurity landscape, offering real-time monitoring and response capabilities to threats at the endpoint level. However, as with any security measure, adversaries continually seek ways to bypass or neutralize them. One of the emerging trends in this cat-and-mouse game is the use of syscalls and API calls to evade detection. This article introduces some of the notable techniques and tools in this domain, including SysWhispers, Tartarus Gate, Perun’s Fart, Hell’s Gate, Hell’s Hall, and more.
- The Power of Syscalls and API Calls
Syscalls (system calls) are direct interfaces to the operating system’s kernel, allowing software to request services from the kernel. By invoking syscalls directly, malware can bypass the higher-level APIs that EDR solutions typically monitor, making detection more challenging.
API (Application Programming Interface) calls, on the other hand, are a set of routines and tools for building software applications. Malware can misuse these calls or use less common APIs to evade detection.
- SysWhispers
SysWhispers is a tool that aids in the generation of shellcode that invokes syscalls directly. By doing so, it can bypass security products that monitor API calls. SysWhispers provides a bridge between current red team tooling and direct syscall execution to enhance evasion.
- Tartarus Gate
Tartarus Gate is a sophisticated technique that dives deep into the realm of syscalls. It’s a method that leverages the power of syscalls to execute code and manipulate processes, all while staying under the radar of most EDR solutions.
- Perun’s Fart
Named after the Slavic god of thunder, Perun’s Fart is a technique that focuses on finding a fresh, unhooked copy of ntdll without reading it from the disk. The idea is to exploit the brief window between a new process’s instantiation and the moment AV/EDR tools inject their hooks.
- Hell’s Gate and Hell’s Hall
Hell’s Gate and Hell’s Hall are techniques that revolve around dynamic system call invocation. By leveraging these methods, attackers can execute syscalls dynamically, making it harder for EDR solutions to detect malicious activities.
