Date:11/12/17
In their presentation, "Lost in Transaction: Process Doppelgänging," enSilo researchers Eugene Kogan and Tal Liberman demonstrated how to conceal malicious activity deep at the operating system level by manipulating how Windows handles file transactions. By passing off malicious actions as benign, legitimate processes, Kogan and Liberman found a potent way for even relatively less-sophisticated attackers to give new life to malicious code threats well-known to security vendors. Once cloaked with "Process Doppelgänging," these threats can impact the latest versions of Windows protected with fully-updated AV and NGAV security products, where malware payloads can proceed to ransom files, capture keystrokes or steal priceless data.
enSilo's Black Hat Europe research is available for download here. Additionally, interested viewers can register to attend a free, public webinar on Process Doppelgänging with Liberman, where he will provide a walk-through of threats and defenses.
In addition to blinding Windows' embedded defense mechanisms and third-party AV and NGAV security products to incoming threats, Process Doppelgänging gives attackers the further advantage of leaving no traceable evidence behind - making this type of intrusion extremely difficult to detect after the fact with the latest forensic techniques.
enSilo customers are already protected from Process Doppelgänging in the wild, via enSilo's proven pre and post infection endpoint security platform combining automated, blocking-enabled Endpoint Detection and Response (EDR) capabilities with Threat Hunting, Incident Response, and Virtual Patching features. enSilo's integrated approach sees and arrests attacks impersonating legitimate Windows processes, affording users additional peace of mind - instead of the uncertainty and management burdens of relying on multiple, piecemeal endpoint protection tools.
"The 'Process Doppelgänging' attack method we discovered leverages several complex mechanisms in Windows operating systems and intimate knowledge of the inner-workings of AVs' file scanning engines. Putting all this together allows masquerading a malicious executable as legitimate, bypassing all tested security products," Liberman explained. "This is another example of how a few subtle manipulations of code, based on deep insight into the operating system internals, are all that is required to upend many layered detection and traditional prevention defenses," Kogan added. "Our research shows that even the latest protections can be negated by an attacker's creative bid to skip a malicious file payload altogether and infiltrate dangerous content through Windows' intricacies."
Kogan and Liberman's selection to present at Black Hat Europe is the latest recognition given to enSilo's renowned team of security researchers working tirelessly to defend customers and the wider security community from evolving threats. enSilo has earned recognition for high-profile work uncovering security risks with major operating systems and novel attack methods. This includes offering an independent patch for Windows' ESTEEMAUDIT remote desktop protocol vulnerability, detailing "AtomBombing" attacks that inject malicious code through Windows atom tables and revealing how attackers can hijack anti-virus products' own features to defeat security measures.
enSilo Reveals Evasive Attack Technique Bypassing Antivirus (AV) and Next Generation Antivirus (NGAV) Prevention Defenses at Black Hat Europe
enSilo, the company that protects endpoints pre- and post-infection and stops data breaches in real time, today released high-profile cybersecurity research at Black Hat Europe revealing how cybercriminals can take advantage of Microsoft Windows features to slip malicious ransomware and other threats past most updated, market-leading AV and NGAV security products protecting corporate laptops, servers and other sensitive devices.In their presentation, "Lost in Transaction: Process Doppelgänging," enSilo researchers Eugene Kogan and Tal Liberman demonstrated how to conceal malicious activity deep at the operating system level by manipulating how Windows handles file transactions. By passing off malicious actions as benign, legitimate processes, Kogan and Liberman found a potent way for even relatively less-sophisticated attackers to give new life to malicious code threats well-known to security vendors. Once cloaked with "Process Doppelgänging," these threats can impact the latest versions of Windows protected with fully-updated AV and NGAV security products, where malware payloads can proceed to ransom files, capture keystrokes or steal priceless data.
enSilo's Black Hat Europe research is available for download here. Additionally, interested viewers can register to attend a free, public webinar on Process Doppelgänging with Liberman, where he will provide a walk-through of threats and defenses.
In addition to blinding Windows' embedded defense mechanisms and third-party AV and NGAV security products to incoming threats, Process Doppelgänging gives attackers the further advantage of leaving no traceable evidence behind - making this type of intrusion extremely difficult to detect after the fact with the latest forensic techniques.
enSilo customers are already protected from Process Doppelgänging in the wild, via enSilo's proven pre and post infection endpoint security platform combining automated, blocking-enabled Endpoint Detection and Response (EDR) capabilities with Threat Hunting, Incident Response, and Virtual Patching features. enSilo's integrated approach sees and arrests attacks impersonating legitimate Windows processes, affording users additional peace of mind - instead of the uncertainty and management burdens of relying on multiple, piecemeal endpoint protection tools.
"The 'Process Doppelgänging' attack method we discovered leverages several complex mechanisms in Windows operating systems and intimate knowledge of the inner-workings of AVs' file scanning engines. Putting all this together allows masquerading a malicious executable as legitimate, bypassing all tested security products," Liberman explained. "This is another example of how a few subtle manipulations of code, based on deep insight into the operating system internals, are all that is required to upend many layered detection and traditional prevention defenses," Kogan added. "Our research shows that even the latest protections can be negated by an attacker's creative bid to skip a malicious file payload altogether and infiltrate dangerous content through Windows' intricacies."
Kogan and Liberman's selection to present at Black Hat Europe is the latest recognition given to enSilo's renowned team of security researchers working tirelessly to defend customers and the wider security community from evolving threats. enSilo has earned recognition for high-profile work uncovering security risks with major operating systems and novel attack methods. This includes offering an independent patch for Windows' ESTEEMAUDIT remote desktop protocol vulnerability, detailing "AtomBombing" attacks that inject malicious code through Windows atom tables and revealing how attackers can hijack anti-virus products' own features to defeat security measures.
Views: 435
©ictnews.az. All rights reserved.Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World