Windows 11 enforces Control-flow Enforcement Technology (CET), which breaks many classical syscall stubs and ROP chains used in red teaming. I spent the last few months investigating whether attackers can still invoke syscalls in a CET-compliant way without tripping EDRs , and how defenders can close those gaps.

Within GhostSys, I formalized a post-CET syscall threat model, Five CET-compliant syscall invocation techniques (Ghost Syscalls, RBP Pivot, Speculative Probe, KCT Smuggle, eBPF JIT) with 12,000-call evaluation, 0 CET violations, no detections across three EDRs

You will also find defender-focused recommendations. Check it out!

Note > Some techniques within GhostSys are known - its supposed to be a systematic, reproducible study of CET-compliant syscall invocation and detection coverage, not cutting edge (eBPF jit had a similiar talk, SickCodes DEF CON talk), Specter vuln has been seen in the Pafish++, but not turned towards syscall hook detection. Gadget scanning is essentially a much more rigorous SysWhispers + Halos Gate.