Tuesday, May 17, 2022

ETW Part 2: Process Parent Spoofing

ETW Part 2: Process Parent Spoofing

Photo by Man Chung on Unsplash

Process Parent Spoofing

A lot of the current state of the art detection techniques rely on process creation logs, and their implied parent/child relationships. For example, many detection rules alert when Powershell is launched from WinWord.exe as it typically indicates a macro has started a powershell payload. You can also read this story here.

Many people are sometimes surprised to learn that on Windows parent/child process…

Read More

Latest news
Related news