Tricking modern endpoint security products | SANS@MIC Talk

Overview
The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system.

There are, however, ways the adversaries can get around these detections. During this presentation, we'll talk about the following techniques and how we can detect them:

- Parent-child relationships spoofing
- Command-line arguments spoofing
- Process injection
- Process hollowing

Speaker Bio
Michel Coene has had the unique opportunity to work in different environments and with a multitude of security products and concepts, approaching these from different angles. Michel looks at security problems from both an offensive and defensive perspective, matching perfectly with the purple teaming perspective of SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses.

In addition to his work at SANS, Michel is the incident response lead at NVISO where he manages a team of incident responders and forensic analysts that respond to cyber incidents worldwide. Michel specializes in incident response, digital forensics and threat hunting himself as well, where he uses his pragmatic and analytical skills to assist clients in solving security issues.

Before joining NVISO, Michel worked as a security consultant for a big 4 firm in Belgium, focusing on architecture penetration testing and doing security assessment on large complex networks. Next to that Michel has a background in network engineering.

Видео Tricking modern endpoint security products | SANS@MIC Talk канала SANS Institute