Spoofing Commands - Can You Trust Process Creation Logs?

Mixing it up this month with how EDR can be evaded in Windows OS!

Typically, we trust what is written to the security logs on Windows servers and workstations to be accurate, even just viewing these logs requires local administrator rights. More importantly log based detections as well as some Endpoint Detection & Response products will utilize process creation events written to Windows Security to either enrich detections and show an analyst exactly what was run, or they will be part of the detection itself.

Unfortunately, there has existed a technique for some time now which allows an attacker to stop what is really being run on the command line from being logged. This works for process creation logs generated by Windows itself, Sysmon and even Defender XDR Device logs. This presents attackers with an opportunity to evade some types of detection and if they pair EDR/logging bypass techniques with this technique it makes the job of an analyst trying to deconstruct what has actually occurred incredibly difficult!

Come and learn about this attack vector and ask what can be done about it.