In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll - Hack in Paris - 2019

Explore a conference talk that delves into a newly discovered defense evasion technique called Process Reimaging. Learn how this technique exploits inconsistencies in the Windows operating system to impersonate process executable binaries, potentially bypassing endpoint security solutions like Microsoft Defender. Discover the attack vectors, prerequisites, and weaponization of Process Reimaging, and understand its impact on the Mitre Att&ck framework's defense evasion category. Gain insights into reversing vulnerable Windows Kernel APIs, and witness a demonstration of bypassing Windows Defender detection. Acquire key takeaways on understanding Windows Kernel API limitations, assessing risks, and implementing mitigation strategies to correctly identify process image binaries. Conclude with recommendations for protecting endpoint products against this new threat and understanding its potential impact on your systems.

Introduction
Relevance
attribution
about me
Agenda
What is Process Reimaging
AV Scanners
Process Reimaging
Mitre Attack Framework
Game of Thrones
Process Doppelganger
AP
Process Re Imaging
Weaponized Process Re Imaging
Summary
Image File Pointer Field
Summary Table
Attack vectors
Get process image
Run process
Rename process
Demo
Recap
Pros and Cons
Impact
Endpoint Security Solution
Protection Recommendations
Microsoft Update
Conclusion