The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system.
There are however ways the adversaries can get around these detections, during this presentations we'll talk about the following techniques and how we can detect them:
- Parent-child relationships spoofing
- Command-line arguments spoofing
- Process injection
- Process hollowing