Bypass Record

Direct Syscalls × Microsoft Windows Defender

A publicly-reported instance of Direct Syscalls bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Direct Syscalls

MITRE ATT&CK

T1106

Confidence

High

Severity

High

Status

poc

Disclosed

2026-05-04

Config / version noted

Not stated

Provenance

hackers-arise.com
disclosed 2026-05-04 · original source · via exa

Reported as

Tenebris-Gate ... bypasses Windows Defender detection

Mechanism

Tenebris-Gate processes raw shellcode through compression and encryption, disguises the key with HellShell IPv4 encoding, delays execution with prime number calculations, masks as explorer.exe, resolves APIs via Djb2 hashing, bypasses userland hooks with tampered syscalls, and avoids RWX memory flags.

Detection & mitigation

Monitor for processes making direct system calls (syscalls) from non-standard or user-mode code, especially when combined with unhooking or tampering of ntdll.dll. Deploy kernel-level callbacks or ETW providers (e.g., Microsoft-Windows-Threat-Intelligence) to detect syscall patterns that bypass user-mode hooks, and enforce application control policies to block unsigned or anomalous executables.

Direct Syscalls has also been recorded against

Bitdefender Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.