BSides Singapore 2019 Schedule

Conference Schedule 2019

BSides Singapore

Real-time Detection of ‘Module Stomping’ via Windows PFN Database

Time: 02:15 PM - 03:00 PM

The technique of ‘Module stomping’ - essentially, loading a legitimate module into a target processes address space, and overwriting it with malicious data - is used by real-world attackers to conceal their presence. Used in commercially-available attack suites such as Cobalt Strike, it is difficult to detect in real-time, and sometimes also difficult to detect during IR. First, I will detail the attack itself, presenting how to easily perform the attack without licensing commercial tools. Then, we will move to detection, where I will demonstrate writing a kernel driver to monitor memory information and detect attacks with a negligible performance overhead in a Windows environment.

Speaker 1
Aliz Hammond

Aliz is a security researcher at Countercept, where they spend most of their time supporting the threat hunting team in their engagement of real-world attackers. With a background in binary-level reverse-engineering and exploitation, Aliz enjoys playing in ring0, usually reversing or interrogating the windows kernel in order to detect new and emerging threats as seen in the wild by the Threat Hunters. Previous work includes that on detecting “gargoyle” attacks, for which they were awarded first place in the 2018 Volatility plugin contest.