Featured

Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors



Published
Event Tracing for Windows (ETW) is a built-in feature, originally designed to perform software diagnostics, and nowadays ETW is essential for Endpoint Detection & Response (EDR) solutions. ETW is deeply integrated into the Windows kernel and involved in many API calls to trace OS events. ETW functions are used by numerous EDRs, business and academic projects to respond to security threats. The bad news for defenses is that ETW is vulnerable: malware countermeasures can disable ETW making the whole class of EDRs totally useless...

By: Andrey Golchikov, Igor Korkin & Claudiu Teodorescu

Full Abstract & Presentation Materials: https://www.blackhat.com/eu-21/briefings/schedule/#veni-no-vidi-no-vici-attacks-on-etw-blind-edr-sensors-24842
Category
Audio
Be the first to comment