SANS @MIC Talk - Tricking modern endpoint security products

  • Monday, 18 May 2020 3:30PM EDT (18 May 2020 19:30 UTC)
  • Speaker: Michel Coene

The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system.

There are however ways the adversaries can get around these detections, during this presentations we'll talk about the following techniques and how we can detect them:

- Parent-child relationships spoofing

- Command-line arguments spoofing

- Process injection

- Process hollowing