Presented at
CactusCon 12 (2024),
Feb. 16, 2024, 4 p.m.
(60 minutes).
Most process injection detection mechanisms involve host-based techniques that can be manipulated and when chained together with EDR bypass methods they aren’t always detected and blocked. A threat hunter cannot solely depend on an AV or EDR solution to mitigate host-based attacks.
This presentation will be made up of three parts:
1. Education and awareness
The presentation will introduce how host-based systems such as tracing API calls, changes of memory protection flags and others have traditionally been used. It will also cover why EDR/AV solutions are not a sufficient solution on their own against new TTPs. This will set the stage for why this new technique was developed.
2. Presenting the detection technique
We present a process injection detection technique developed based on network anomaly detection as opposed to the artifacts listed above. Our technique focuses on the process’s network behavior which is harder to hide compared to host based artifacts.
3. Example in the wild
We detected processes which deviated out of their baseline. After further investigation, we were able to trace these artifacts to the WannaMine campaign. We will showcase the forensic investigation which include attack techniques, tools and forensic artifacts found in the customer’s network.
This talk has value for every level of security professional. It will provide insights on a global scale showing the potential impact if these attack techniques are ignored or remain unseen.
Presenters:
-
Ofir Shen
- Akamai Security Researcher - Threat Hunting Team
Ofir Shen is a Senior Security Researcher in the Akamai Hunt team. His area of expertise includes developing detection methodologies, incident response and forensics.
Links:
Similar Presentations: