Security Research

SKREAM Reloaded: Randomizing Kernel Pool Allocations

In the 2nd research of SKREAM, our researchers suggest a generic way to mitigate pool overflow vulnerabilities, based on randomizing the pool allocation

READ MORE

SKREAM: Kernel-Mode Exploits Mitigations For the Rest of Us

This article presents a Windows kernel exploitation technique and suggests a method to mitigate the vulnerability that enables it

READ MORE

What is Meterpreter, the Advanced and Powerful Metasploit Payload

Meterpreter is a powerful weapon that can be exploited by cyber criminals to perform fileless attacks. See how SentinelOne detects and blocks such attempts

READ MORE

DNSMessenger PowerShell Malware Analysis

A walkthrough of known malware named DNSMessenger, a multi-stage PowerShell malware using DNS communication to control the victim machine

READ MORE

SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm

Introduction Late last year, Marco Ramilli posted an article on in-memory Powershell-WMI CryptoWorm. Here at SentinelOne, we found a new active variant of this spreading CryptoWorm. In this post we will review what’s new in this variant and suggest how to remove it from an infected network. What’s new in this version? Communication This CryptoWorm […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 3

Introduction Last time (part 1, part 2) we demonstrated several different methods for injecting 64-bit modules into WoW64 processes. This post will pick up where we left off and describe how the ability to execute 64-bit code in such processes can be leveraged to hook native x64 APIs. To accomplish this task, the injected DLL […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 2

Where we left off In the first part of this series we presented several injection methods capable of injecting 64-bit DLLs into WoW64 processes, with the intention to eventually use this DLL to hook 64-bit API functions in the process. We finished the post by presenting injection via APC, and saw that, when tested to […]

READ MORE

Deep Hooks: Monitoring native execution in WoW64 applications – Part 1

Introduction This blog post is the first in a three-part series describing the challenges one has to overcome when trying to hook the native NTDLL in WoW64 applications (32-bit processes running on top of a 64-bit Windows platform). As documented by numerous other sources, WoW64 processes contain two versions of NTDLL. The first is a […]

READ MORE

What Really Matters with Machine Learning

Let’s cut through the noise and see what’s most important in machine learning and for security products in general

READ MORE