Evading in plain sight: how adversaries beat user-mode protection engines for over a decade

Wednesday 24 September 14:00 - 14:30, Red room

Omri Misgav (independent)

Following the largest global IT outage in history, in July 2024, many took to the public stage advocating prohibiting endpoint security vendors from deploying kernel-based components, even prompting regulators to weigh in.
This kicked off an effort to assess the impact of the proposed design shift as many endpoint-oriented security solutions, from different malware analysis tools to various commercial products (like AVs, EDRs and sandboxes), already include user mode-based engines.

The research started with examining open-source projects and publications such as Heaven's Gate, SysWhispers and FireWalker, and continued by analysing and reverse-engineering malware families of all types in the wild, including well-known threats like Emotet, SmokeLoader, HijackLoader, FormBook, DarkGate, Hive ransomware and Winnti, among others. Over 55 different data sources were ingested in all, mapping the entire threat landscape and yielding an in-depth understanding and insights into attackers' tradecraft and how adversaries have evolved over more than a decade.

Compiling the most comprehensive collection on this topic made it very clear – this is the most prolific post-exploitation technique yet, surpassing even code injection methods.

This talk will explore the 26 unique methods that researchers and malware authors have developed to beat user mode-based protection engines, catalogued under three main tactics: Hook Evasion, Argument Forgery, and Engine Disarming. The talk will also highlight drawbacks of the various methods and provide a detection scheme focusing on runtime and forensics indicators that malware researchers, incident responders and detection engineers facing this issue can utilize.

Omri Misgav Omri is an independent security researcher with over a decade of experience in the field. Previously, he headed a security research group in Fortinet's FortiGuard Labs, focused on OS internals, malware and vulnerabilities. Omri joined Fortinet following enSilo's acquisition, where he was the security research team leader and spearheaded the development of new offensive and defensive techniques. Before that, he led the R&D of unique network and endpoint security products for large-scale enterprise environments and was part of an incident response team, conducting investigations and hunting for nation-state threat actors. Omri is a past speaker at various conferences such as DEF CON, AVAR, BSideLV and others.

Back to VB2025 Programme page

Back to VB2025 conference page

Other VB2025 papers