Subverting Sysmon - Application of a Formalized Security Product Evasion Methodology

Explore a comprehensive methodology for subverting security products, focusing on Sysmon, in this Black Hat conference talk. Delve into the mindset of well-funded nation-state actors and their approach to holistically evading detection. Learn about the goals of evasive adversaries, detection and subversion methodologies, and the rationale behind targeting Sysmon specifically. Examine data collector subversion strategies and their application to Sysmon, including tool familiarization, data source resilience auditing, implementation analysis, and attack surface analysis. Gain insights into the engineering challenges faced by adversaries in subverting security solutions and the importance of understanding these techniques for improving defensive postures.

Intro
Goals of an Evasive Adversary 2. Delection and Detection Subversion Methodologies 3. Rationale for Targeting Sysmon 4. Data Collector Subversion Strategies Applied to Sysmon 5. Conclusion
Subverting security solutions is simply an engineering challenge of adversaries.
1. Tool Familiarization and Scoping
Data Source Resilience Auditing
Data Collection Implementation Analysis
4. Footprint/Attack Surface Analysis
Configuration Analysis