ITSEC Newsletter 2025-01-30

Hardware breakpoints have been used to hook Windows functionality to subvert or hide user mode telemetry and in turn, bypass AMSI and ETW detections from userland. EDRs have leveraged Threat Intelligence providers to create detections around the abuse of hardware breakpoints. In this blog, we will explore which functions create these ETW events with a kernel debugger, and an alternative method to set up hardware breakpoints to hook functionality without creating the same ETW TI events.

Every once in a while, I get the urge to go back and revisit older techniques that used to be popular but have fallen out of favor with the offensive community. Things like Office Macros, PowerShell, and custom shellcode loaders used to be incredibly effective but are now deemed “burned” by many industry colleagues I chat with. While there is some truth to this, I am still constantly surprising myself and others on my team with so-called “burned” TTPs that prove themselves effective on operations. In this post, I want to revisit another old technique I believe is a prime candidate to host malware payloads—Python for Windows. But, before we do, let’s revisit some existing work in this space.

Welcome to the second part of my blog series on the Windows driver load order. Good to see that you made it up to here. After the preparations in my last post, we are now finally equipped with all necessary tools to analyze the load order and develop a compatible sorting algorithm.