🎭 Spoofing Call Stacks To Confuse EDRs
The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.
🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs
🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer
#edr #evasion #stack #spoofing #lsass
The article focuses on techniques for call stack spoofing to bypass detection by EDR. It explains how to fake call stacks during Windows API interactions to mask malicious activity, such as accessing the lsass process, as legitimate operations. The text details the mechanics of call stacks in the x64 architecture, the use of unwind codes, tools for analysis, and provides a PoC implementation demonstrating call stack spoofing in practice.
🔗 Research:
https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs
🔗 Source:
https://github.com/WithSecureLabs/CallStackSpoofer
#edr #evasion #stack #spoofing #lsass
🔥12❤2