In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll - Hack in Paris - 2019

Explore a conference talk that delves into a newly discovered defense evasion technique called Process Reimaging. Learn how this technique exploits inconsistencies in the Windows operating system to impersonate process executable binaries, potentially bypassing endpoint security solutions like Microsoft Defender. Discover the attack vectors, prerequisites, and weaponization of Process Reimaging, and understand its impact on the Mitre Att&ck framework's defense evasion category. Gain insights into reversing vulnerable Windows Kernel APIs, and witness a demonstration of bypassing Windows Defender detection. Acquire key takeaways on understanding Windows Kernel API limitations, assessing risks, and implementing mitigation strategies to correctly identify process image binaries. Conclude with recommendations for protecting endpoint products against this new threat and understanding its potential impact on your systems.