Using process creation properties to catch evasion techniques

We developed a robust detection method in Microsoft Defender for Endpoint that can catch known and unknown variations of a process execution class used by attackers to evade detection. This class of stealthy execution techniques breaks some assumptions made by security products and enables...

Researchers Uncover 'Process Ghosting' — A New Malware Evasion Technique

Cybersecurity researchers have disclosed a new executable image tampering attack dubbed "Process Ghosting" that could be potentially abused by an attacker to circumvent protections and stealthily run malicious code on a Windows system. "With this technique, an attacker can write a piece of malwar...

Metasploit Wrap-Up

Hey who finked about Flink? In this week's round of modules, contributor bcoles offered up two modules to leverage that Apache Flink install you found in some fun new ways. If you are just looking to filch a few files, auxiliary/scanner/http/apacheflinkjobmanagertraversal leverages CVE-2020-17519...

Process Herpaderping evasion technique

This module allows you to generate a Windows executable that evades security products such as Windows Defender, Avast, etc. This uses the Process Herpaderping technique to bypass Antivirus detection. This method consists in obscuring the behavior of a running process by modifying the executable o...

Herpaderping - Process Herpaderping Bypasses Security Products By Obscuring The Intentions Of A Process

Process Herpaderping is a method of obscuring the intentions of a process by modifying the content on disk after the image has been mapped. This results in curious behavior by security products and the OS itself. Summary Generally, a security product takes action on process creation by registerin...