iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

SANS @MIC Talk - Tricking modern endpoint security products

  • Monday, May 18, 2020 at 3:30 PM EDT (2020-05-18 19:30:00 UTC)
  • Michel Coene

You can now attend the webcast using your mobile device!

  

Overview

The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system.

There are however ways the adversaries can get around these detections, during this presentations we'll talk about the following techniques and how we can detect them:

- Parent-child relationships spoofing

- Command-line arguments spoofing

- Process injection

- Process hollowing

Speaker Bio

Michel Coene

Michel has had the unique opportunity to work in different environments and with a multitude of security products and concepts, approaching these from different angles. Michel looks at security problems from both an offensive and defensive perspective, matching perfectly with the purple teaming perspective of SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses.

In addition to his work at SANS, Michel is the incident response lead at NVISO where he manages a team of incident responders and forensic analysts that respond to cyber incidents worldwide. Michel specializes in incident response, digital forensics and threat hunting himself as well, where he uses his pragmatic and analytical skills to assist clients in solving security issues.

Before joining NVISO, Michel worked as a security consultant for a big 4 firm in Belgium, focusing on architecture penetration testing and doing security assessment on large complex networks. Next to that Michel has a background in network engineering.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.