Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections.
This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group’s FudModule rootkit to blind security solutions.
Key Functions
- Kernel Dispatch Table Monitoring
Sanctum’s driver periodically validates the integrity of the ETW Kernel Dispatch Table – a critical structure holding pointers to ETW provider GUIDs.- By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
- Tampering triggers an immediate bug check (BSOD) via
KeBugCheckEx
to prevent exploitation1.
- Tampering triggers an immediate bug check (BSOD) via
- By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
- _ETW_SILODRIVERSTATE Protection
The tool monitors theEtwpActiveSystemLoggers
bitmask and GUID enable flags within this kernel structure.- Lazarus-style attacks that clear these flags to disable ETW providers are detected through cyclic redundancy checks. For critical providers like ETW Threat Intelligence, zero-value masks prompt system halts1.
- Registry Guardrails
A kernel filter driver usingCmRegisterCallbackEx
blocks modifications to ETW-related registry keys (e.g.,HKLM\...\Autologger\EventLog-Application
). This prevents persistent disablement of ETW logging through registry tampering1. - User-Space NTDLL Guard
A companion process hashes NTDLL’s .text segment every 50ms to detect memory patching attempts. When Remcos RAT tried patchingEtwEventWrite
, Sanctum suspended all process threads and terminated execution via hookedNtProtectVirtualMemory
1.
Testing against real-world threats revealed:
- Complete blockage of Remcos’ user-space ETW bypass via memory protection hooks
- Successful identification of FudModule rootkit’s GUID entry manipulation through kernel structure monitoring
- Prevention of registry-based persistence mechanisms with 100% block rate in controlled tests
The system employs defense-in-depth by combining:
- Kernel Patch Guard-style periodic checks
- Real-time syscall hooking
- Registry write filtering
- Memory integrity validation
This layered approach raises the bar for adversaries, requiring simultaneous bypass of multiple detection vectors while maintaining operational stealth – a significant challenge given Sanctum’s 50ms check intervals and hardware-isolated components1.