Ransomware Attacks Evade Telemetry with Hardware Breakpoints

Author: Ravie Lakshmanan
Date: January 28, 2025

Tags: Ransomware / Threat Intelligence

Cybersecurity researchers have discovered a new technique used by attackers to evade telemetry and maintain stealth while implementing "patchless" hooks that prevent AMSI scanning and avoid ETW logging. This technique involves using hardware breakpoints at the CPU level to hook functions and manipulate telemetry in userland without direct kernel patching.

The Technique

The technique relies on a native Windows function called NtContinue, instead of SetThreadContext, to set debug registers and avoid triggering ETW logging and events that are parsed by EDRs to flag suspicious activity. By leveraging hardware breakpoints at the CPU level, attackers can hook functions and manipulate telemetry in userland without direct kernel patching, challenging traditional defenses.

Expert Insights

Praetorian researcher Rad Kawar explained the significance of this technique, stating, "By leveraging hardware breakpoints at the CPU level, attackers can hook functions and manipulate telemetry in userland without direct kernel patching — challenging traditional defenses." This highlights a technique adversaries can use to evade and maintain stealth while implementing "patchless" hooks that prevent AMSI scanning and avoid ETW logging.

Implications

This matters because it highlights a technique adversaries can use to evade and maintain stealth while implementing "patchless" hooks that prevent AMSI scanning and avoid ETW logging. This technique has significant implications for traditional defenses and highlights the need for more advanced security measures to detect and prevent such attacks.