Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll - Hack in Paris - 2019

Hack in Paris via YouTube

Overview

Explore a conference talk that delves into a newly discovered defense evasion technique called Process Reimaging. Learn how this technique exploits inconsistencies in the Windows operating system to impersonate process executable binaries, potentially bypassing endpoint security solutions like Microsoft Defender. Discover the attack vectors, prerequisites, and weaponization of Process Reimaging, and understand its impact on the Mitre Att&ck framework's defense evasion category. Gain insights into reversing vulnerable Windows Kernel APIs, and witness a demonstration of bypassing Windows Defender detection. Acquire key takeaways on understanding Windows Kernel API limitations, assessing risks, and implementing mitigation strategies to correctly identify process image binaries. Conclude with recommendations for protecting endpoint products against this new threat and understanding its potential impact on your systems.

Syllabus

Introduction
Relevance
attribution
about me
Agenda
What is Process Reimaging
AV Scanners
Process Reimaging
Mitre Attack Framework
Game of Thrones
Process Doppelganger
AP
Process Re Imaging
Weaponized Process Re Imaging
Summary
Image File Pointer Field
Summary Table
Attack vectors
Get process image
Run process
Rename process
Demo
Recap
Pros and Cons
Impact
Endpoint Security Solution
Protection Recommendations
Microsoft Update
Conclusion

Taught by

Hack in Paris

Reviews

Start your review of In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll - Hack in Paris - 2019

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.