SecTor 2025 | How Adversaries Beat User-Mode Protection Engines for Over a Decade

Following the largest global IT outage in history in July 2024, many took to the public stage advocating to prohibit endpoint security vendors from deploying kernel-based components, even prompting regulators to weigh in. That launched an effort to evaluate the impact of the proposed design shift, as many endpoint-oriented security solutions, from different malware analysis tools to various commercial products (like AVs, EDRs and sandboxes), already include user mode-based engines. The research started with examining open-source projects and publications such as SysWhispers and FireWalker, and continued by analyzing and reverse-engineering malware families of all types in the wild, including infamous names like Emotet, SmokeLoader, HijackLoader, FormBook, DarkGate, Hive ransomware and Winnti, among others. Over 55 different data sources were ingested, all in all, mapping the entire threat landscape and tracking the evolution of adversaries for more than a decade. Curating the ultimate collection on the subject yielded in-depth understanding and insights into attackers' tradecraft and made it clear that this is the most prolific post-exploitation technique yet, surpassing even code injection methods. This session will explore all 27 unique methods which security researchers and malware authors have developed to beat user mode-based protection engines, cataloged under 3 main tactics: Hook Evasion, Argument Forgery and Engine Disarming. The trade-offs of the various methods will be highlighted as well. In addition, the session will include detection schemes, focusing on runtime and forensic indicators, to aid malware researchers, incident responders, threat hunters and detection engineers tackling these issues. By: Omri Misgav | Security Researcher, Independent Presentation Materials Available at: https://ift.tt/1m24De7

source https://www.youtube.com/watch?v=ox2lq9vsC8Q