Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology presented at blackhatUSA2018 2018

by Matt Graeber, Lee Christensen,

Summary : While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their specific offensive technique, mature actors recognize a need to holistically subvert the product at every step during the course their operation.Sysmon - a security tool used widely by defenders as well as several security vendors makes it a great target in which to demonstrate a formalized approach to evasion and tampering. This talk will cover host footprint analysis, evasion, tampering, and rule auditing/bypass strategies. Specific strategies covered will include attack surface analysis, determining evasion "paths of least resistance", and identification of narrow, "exploitable" detections. By the end of the talk, it will become evident that the strategies applied to Sysmon can be easily applied to any security product.Are security product vendors preparing themselves to be resilient against threats specifically targeting their product? Should they be? It is inevitable that capabilities will be developed against security products. Armed with that knowledge, how should vendors respond? You be the judge by applying a more systematic methodology to assessing security products.