Black Hat USA 2025 | I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

What if you could leverage Event Tracing for Windows (ETW) to manipulate telemetry data, challenging the trust placed in endpoint detection and response (EDR) tools? ETW is a critical component to the operating system for Event Log generation as well as EDR telemetry collection. By injecting custom events into the ETW stream, I've found a safe way for blue teams to replicate attack telemetry without executing these risky processes on production systems. Additionally, red teams can exploit this same technique to mislead incident analysts or, worse, trigger capping mechanisms in EDRs, effectively rendering them partially blind to malicious activities. Current Windows protection mechanisms mostly allow these techniques to be executed from any un-elevated process, in user mode. I will demonstrate the injection of telemetry events and the exploitation of event capping—illustrating how an overflow in event generation can cause the Defender for Endpoint to disregard subsequent logs, including those from genuine threats. I will showcase how automated risk assessment can lead to the revocation of tenant access for that device. By: Olaf Hartong | Security Researcher, FalconForce Presentation Materials Available at: https://ift.tt/uRoVyUj

source https://www.youtube.com/watch?v=G3Ft0gtmm4I