Unmasked! - Fighting Stealthy Execution Methods Using Process Creation Properties

Track 2 - Savannah

Thu, 30 Jun 2022 @ 14:55:00

Over the past few years, several Windows tradecraft techniques like Process Doppelganging, Process Herpaderping and Process Ghosting have created a new class of stealthy malware execution methods alongside Process Injection and Process Hollowing. Our talk will feature a deep dive through Windows process creation, AV design patterns and concerns and some filesystem internals to describe both the attacks themselves and how to generically catch all of them, as well as future variants.