Bypass Record

Direct Syscalls × Sophos EDR

A publicly-reported instance of Direct Syscalls bypassing Sophos EDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Sophos EDR

Technique

Direct Syscalls

MITRE ATT&CK

T1106

Confidence

High

Severity

High

Status

poc

Disclosed

2024-07-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-07-24 · original source · via exa
whiteknightlabs.com
disclosed 2024-07-31 · original source · via exa
github.com
disclosed 2024-07-29 · original source · via exa
whiteknightlabs.com
disclosed 2024-07-31 · original source · via raw

Reported as

successfully launching a payload under Sophos EDR

Mechanism

Sets hardware breakpoints on randomly chosen benign syscalls not hooked by the EDR. When a syscall is invoked with null arguments, the breakpoint triggers a vectored exception handler that replaces the nulls with the actual arguments and the correct syscall number, then removes the breakpoint. This hides the true arguments from EDR inspection, as the EDR only sees the initial null arguments.

Detection & mitigation

Monitor for processes setting hardware breakpoints (e.g., via SetThreadContext) or registering vectored exception handlers (AddVectoredExceptionHandler) that modify syscall arguments, especially when combined with suspicious syscall patterns like null arguments. Mitigate by enabling kernel-level callbacks or ETW providers that capture syscall arguments before user-mode tampering, and restrict SeDebugPrivilege to prevent hardware breakpoint manipulation.

Direct Syscalls has also been recorded against

Bitdefender Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.