NtResetEvent

Prototype

NTSTATUS NtResetEvent(
  HANDLE  EventHandle,
  PLONG   PreviousState
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 87 01 00 00      mov eax, 0x187
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtResetEvent is the inverse of NtSetEvent: it drives an event object to the non-signaled state and optionally returns the *previous* state via `PreviousState`. The distinction from NtClearEvent (which does the same drop-to-non-signaled but discards the previous state) is purely whether the caller cares about the prior value — useful for implementing test-and-clear semantics without an extra NtQueryEvent round-trip. The kernel routine `KeResetEvent` underlies both NtResetEvent and NtClearEvent.

Common malware usage

Common in *sleep-mask* and *event-driven idle* implementations used by modern beacons. A typical pattern: the implant arms an event with NtSetEvent before sleeping on a counterpart, then resets it via NtResetEvent on resume to be ready for the next loop iteration. Cobalt Strike's user-defined sleep mask, Sleepmask-rs and various Sliver post-ex modules use NT event primitives this way to avoid the obvious `NtDelayExecution` timing fingerprint. Also seen in worker-thread loops that gate execution on a master signal.

Detection opportunities

NtResetEvent is *extremely* common in legitimate code (every CRITICAL_SECTION on contention, every async I/O completion teardown) so on its own it carries no signal. What matters is correlation: short repeating cycles of `NtCreateEvent → NtSetEvent → NtWait → NtResetEvent` from a single thread with an RWX stack region or with the call sequence inside a heap-allocated buffer is consistent with a sleep-mask. ETW Threat Intelligence (`Microsoft-Windows-Threat-Intelligence`) surfaces some context-switch and wait transitions that can be correlated; otherwise rely on stack-walking telemetry.

Direct syscall examples

; Direct syscall stub for NtResetEvent (SSN 0x187 on Win11 24H2)
NtResetEvent PROC
    mov  r10, rcx          ; EventHandle
    mov  eax, 187h         ; SSN — verify per-build
    syscall
    ret
NtResetEvent ENDP

// Atomically clear hEvent and learn whether it was previously signaled.
#include <windows.h>
#include <winternl.h>

typedef NTSTATUS (NTAPI *pNtResetEvent)(HANDLE, PLONG);

BOOL ConsumeOneShot(HANDLE hEvent) {
    LONG prev = 0;
    pNtResetEvent fn = (pNtResetEvent)GetProcAddress(
        GetModuleHandleA("ntdll.dll"), "NtResetEvent");
    NTSTATUS s = fn(hEvent, &prev);
    return (s >= 0) && (prev != 0);
}

// Cargo: windows-sys = "0.59", ntapi = "0.4"
// Toy sleep-mask loop: park on event, decrypt-process-encrypt, reset, repeat.
use ntapi::ntpsapi::NtResetEvent;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::Threading::WaitForSingleObject;

unsafe fn beacon_loop(wake: HANDLE) {
    loop {
        WaitForSingleObject(wake, u32::MAX);   // park
        // ... unmask payload, run task, remask payload ...
        let mut prev: i32 = 0;
        NtResetEvent(wake, &mut prev);          // rearm for next pulse
    }
}

MITRE ATT&CK mappings

• T1106Native APImitre ↗
• T1027.013Encrypted/Encoded Channel — Sleep maskmitre ↗