Executive Summary: As of early 2026, Windows 11 continues to evolve its security architecture with enhanced Kernel Patch Protection (PatchGuard), Hypervisor-Protected Code Integrity (HVCI), and improved Event Tracing for Windows (ETW). Despite these advancements, threat actors are increasingly leveraging fileless malware—malicious payloads that operate entirely in memory—combined with advanced kernel-level techniques to achieve persistence. A particularly insidious method observed in 2026 involves the abuse of extended Berkeley Packet Filter (eBPF) filters within the Windows networking stack to install undetectable persistence mechanisms. By hooking kernel functions via eBPF filters, malware can intercept and manipulate network-related system calls, enabling stealthy command-and-control (C2) communication and long-term persistence without writing to disk. This report analyzes how such attacks bypass modern Endpoint Detection and Response (EDR) systems, outlines key technical vectors, and provides actionable mitigation strategies for defenders.
Windows 11 2026 extends eBPF support beyond traditional Unix/Linux environments, incorporating it into the Windows networking stack via the netebpfext.sys driver. This driver allows for the dynamic loading of eBPF bytecode into the kernel, enabling efficient packet filtering and processing. While intended for legitimate use cases such as network monitoring and security appliances, threat actors have repurposed this capability.
Malicious actors craft eBPF programs that install kprobes and tracepoints on sensitive kernel functions. For example, hooking NtCreateProcessEx allows malware to monitor—and optionally intercept—process creation events, enabling silent code injection into newly spawned processes.
The attack begins with privilege escalation (often via a compromised signed driver or zero-day exploit). The attacker then loads a malicious eBPF program using bpftool or a custom syscall interface. This program installs filters on high-value kernel functions, including:
NtQueueApcThread – Used for asynchronous procedure calls (APCs), often abused for thread hijacking.NtCreateUserProcess – Critical for process creation and injection.NtDeviceIoControlFile (used by NDIS) to intercept raw packet data.Once hooked, the eBPF filter can reroute execution flow, log sensitive data (e.g., credentials, process listings), or inject shellcode into legitimate processes without invoking traditional API calls that EDRs monitor.
Persistence is achieved through two complementary mechanisms:
svchost.exe, lsass.exe) via APC or direct memory mapping.This dual approach ensures that even if the malware is detected in memory, its origin and persistence mechanism remain obscured by the kernel-level abstraction provided by eBPF.
Modern EDR systems (e.g., Microsoft Defender for Endpoint, CrowdStrike, SentinelOne) primarily operate in user mode and rely on:
An eBPF-based hook resides entirely within the kernel and is invisible to user-mode monitoring. It does not create new processes, write files, or make network connections using visible APIs—it simply filters and modifies data as it flows through kernel routines. This makes it nearly undetectable to conventional EDR tools unless they include deep kernel integrity monitoring (KIM) or hypervisor-based detection (e.g., via Microsoft Defender System Guard).
1. Initial compromise via phishing or zero-day exploit.
2. Privilege escalation using a vulnerable signed driver (e.g., exploiting CVE-2025-XXXX).
3. Load malicious eBPF program via bpftool or custom syscall.
4. Install hooks on NtQueueApcThread and NtCreateUserProcess.
5. Inject shellcode into explorer.exe via APC queue.
6. Shellcode communicates with C2 using DNS tunneling (bypassing network firewalls via eBPF-filtered traffic).
7. Persistence maintained via WMI event subscription pointing to a memory-resident payload.
8. No disk artifacts; all activity hidden from EDR and forensic tools.
Enable Hypervisor-Protected Code Integrity (HVCI), Kernel Data Protection (KDP), and System Guard with Secure Boot. These features prevent unauthorized kernel memory modifications and block unsigned driver loading.
Log all eBPF program loads via Event Tracing for Windows (ETW) events (Microsoft-Windows-Kernel-EBPF/Operational). Alert on unexpected programs or unsigned bytecode. Use tools like logman or SIEM integrations to capture these events.
Use tools like Microsoft Defender System Guard or third-party KIM solutions that validate kernel code integrity and detect unauthorized hooks. These systems monitor critical kernel structures (e.g., SSDT, IDT) for tampering.
Enforce driver signing policies via Group Policy or Intune. Block unsigned drivers using Windows Defender Application Control (WDAC). Audit loaded drivers regularly using driverquery /v or PowerShell.
Leverage AI-driven EDR solutions that analyze kernel behavior patterns, including unusual syscall sequences, memory injection vectors, and network stack anomalies. Focus on detecting deviations from known-good kernel execution paths.
Deploy network monitoring agents that inspect raw NDIS traffic at the kernel level (e.g., via NDIS lightweight filter drivers). Detect anomalies in packet flow that suggest eBPF-controlled tunneling