The Limitations of User-Mode Hooks
Traditional Endpoint Detection and Response (EDR) solutions rely heavily on user-mode API hooking to monitor process behavior. By injecting code into running processes, EDRs can intercept calls to sensitive APIs like NtCreateProcess, NtWriteVirtualMemory, and NtProtectVirtualMemory.
However, sophisticated attackers have developed techniques to bypass these hooks entirely.
The API Unhooking Problem
Attackers can read clean copies of ntdll.dll directly from disk and overwrite the hooked versions in memory (MITRE ATT&CK T1562.001 – Impair Defenses). This technique, known as “API unhooking,” renders user-mode monitoring blind to subsequent malicious activity.
Common tools and techniques include:
- Manual mapping of clean DLLs from disk
- Direct syscalls that bypass the hooked stubs entirely
- Hell’s Gate / Halo’s Gate techniques for dynamic syscall resolution
Enter Kernel-Level Telemetry
The solution lies in moving detection to the kernel level, where attackers cannot easily reach. The Microsoft-Windows-Threat-Intelligence ETW provider offers exactly this capability.
What is ETW?
Event Tracing for Windows (ETW) is a high-performance event logging mechanism built into Windows. The Threat Intelligence provider, introduced in Windows 10 (version 1703), delivers kernel-level callbacks for security-relevant events.
| Attribute | Value |
|---|---|
| GUID | {F4E1897C-BB5D-5668-F1D8-040F4D8DD344} |
| Introduced | Windows 10 Version 1703 (April 2017) |
| Protection | Protected Process Light (PPL) – Antimalware signer required |
Key Events Captured
- Process creation (including command-line arguments)
- Image loads (DLLs and executables)
- Memory allocations with executable permissions
- Handle operations to sensitive processes
- Registry modifications
Why Attackers Cannot Bypass It
Unlike user-mode hooks, ETW callbacks are registered in the kernel. To disable them, an attacker would need:
- Kernel-mode code execution (requiring a driver or exploit)
- The ability to bypass Kernel Patch Protection (PatchGuard)
- Administrator privileges (at minimum)
This raises the bar significantly compared to user-mode unhooking techniques.
Implementation Considerations
For EDR vendors and security teams:
- Subscribe to the TI provider in addition to user-mode hooks
- Correlate events between kernel and user-mode for higher fidelity
- Monitor for ETW tampering attempts as an indicator of compromise
- Enable Credential Guard to protect LSASS with virtualization-based security
Conclusion
As the attacker-defender arms race continues, kernel-level telemetry represents the next evolution in endpoint security. Organizations should ensure their EDR solutions leverage ETW and other kernel-mode visibility mechanisms.
Want to validate your EDR’s kernel-level detection capabilities? Contact our Red Team for a Purple Team engagement.
