I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR
Black Hat USA 2025 · Day 1 · Briefings
Olaf Hartong of Falcon Force demonstrated that the Event Tracing for Windows (ETW) subsystem — which Microsoft Defender for Endpoint, CrowdStrike, and other major EDRs rely on for telemetry — can be abused by low-privileged attackers to inject fake events, trigger false alerts, flood EDR telemetry caps, and ultimately blind detection platforms to real malicious activity. A companion tool, ETWSpoof, and a monitoring utility, ETWtop, were released at the talk. Microsoft issued a partial fix targeting Defender's anti-malware provider on the day of the briefing. ---
AI review
Hartong just proved that the entire EDR telemetry model is architecturally broken and any low-privileged process can lie to it. Injecting fake LDAP events that appear in MDE's cloud telemetry, exhausting a 1,000-event-per-24-hour cap in seconds to blind detection, flooding ETW buffers to cut off providers globally — these are not theoretical concerns, they are working attacks with released tools. Microsoft's response — patching exactly one provider while leaving 100+ untouched — speaks volumes.