Understanding Sleep Obfuscation

This report analyzes three open-source in-memory sleep-obfuscation techniques (Ekko, Cronos, FOLIAGE), detailing how they encrypt/decrypt memory and use timers/APCs/NtContinue to evade detection, provides results from testing POCs and Havoc C2 payloads, evaluates detection approaches (memory scanners, CFG/POC tools, and Microsoft Defender/Sentinel telemetry), and identifies gaps and potential detection opportunities such as ETW tracing, specific API call logging, and NtContinue monitoring.