Adversaries Use Hardware Breakpoints to Evade EDR Systems
/ 1 min read
🕵️♂️ Adversaries exploit hardware breakpoints to evade modern EDR systems. Modern Endpoint Detection and Response (EDR) solutions utilize Windows’ Event Tracing for Windows (ETW) Threat Intelligence provider to detect malicious activities, but attackers are increasingly using hardware breakpoints to manipulate telemetry without triggering alerts. By leveraging CPU-level breakpoints, adversaries can hook functions and bypass traditional defenses, including Kernel Patch Protection. This article discusses how EDRs rely on ETW for detecting suspicious operations and explores methods to covertly set hardware breakpoints using the NtContinue function, which avoids generating ETW events. The findings underscore the ongoing cat-and-mouse game between security technologies and sophisticated attack techniques.
