FalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14

Post-Image

FalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14

Direct system calls are a popular technique used by attackers to bypass certain EDR solutions. In this blog we deep-dive into how direct system calls could be detected based on some example Cobalt Strike BOFs that make direct system calls.

TL;DR for blue teams: Attackers might use direct system calls in an attempt to bypass detection. This blog post shows a method for detecting direct system calls for opening a process using Sysmon.

TL;DR for red teams: Sometimes techniques used to hide malicious activities, such as making direct system calls instead of going via documented APIs, can actually make an attack less stealthy if the blue team is monitoring for these specific behaviours. Be especially cautious when using the NtOpenProcess direct system call as this behaviour can be detected using Sysmon with the right rules in place.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday