Four months ago we published a 3-part series of blog posts, presenting a research carried out by two of our researchers: Yarden Shafir and Assaf Carlsbad. The research introduced a new way of monitoring parts of WoW64 processes that are usually ignored by security products. This blindspot often leads to exploitation by sophisticated pieces of malware. The technique presented in the research can be used to better monitor WoW64 processes, making detection harder to bypass. The research is the basis for some new SentinelOne detection capabilities, for example detecting the notorious “Heaven‘s Gate” bypass technique.
As a reminder, here are the links to this series of blog posts:
Following its publication, the research drew a lot of interest from the community. The researchers were invited to various cyber security conferences to share their insights.
For those of you who are intrigued by WOW64 applications and how to protect them, here is their talk from BSidesTLV. You can also meet them on August 30, at the HITB GSEC 2018 Conference.
*** This is a Security Bloggers Network syndicated blog from SentinelOne authored by Aviram Shmueli. Read the original post at: https://www.sentinelone.com/blog/now-stage-deep-hooks-monitoring-native-execution-wow64-applications/