Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections.
This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group’s FudModule rootkit to blind security solutions.
KeBugCheckEx
to prevent exploitation1.EtwpActiveSystemLoggers
bitmask and GUID enable flags within this kernel structure. CmRegisterCallbackEx
blocks modifications to ETW-related registry keys (e.g., HKLM\...\Autologger\EventLog-Application
). This prevents persistent disablement of ETW logging through registry tampering1.EtwEventWrite
, Sanctum suspended all process threads and terminated execution via hooked NtProtectVirtualMemory
1.Testing against real-world threats revealed:
The system employs defense-in-depth by combining:
This layered approach raises the bar for adversaries, requiring simultaneous bypass of multiple detection vectors while maintaining operational stealth – a significant challenge given Sanctum’s 50ms check intervals and hardware-isolated components1.
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…