One of the most critical detection vectors is system call (syscall) tracing:
Hooks in ntdll.dll intercept calls like NtAllocateVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx
Userland EDR components trace call stacks, arguments, and call origins
Some advanced solutions monitor syscalls in kernel mode or via ETW
EDRs may track the sequence and frequency of syscalls—unusual chains may indicate exploitation or injection.
Use direct syscalls (bypassing API stubs)
Use indirect syscall stubs (SysWhispers, Hell’s Gate)
Randomize call sequences or insert benign calls to blend in
Last updated 8 months ago