Subverting Sysmon: Application of a Formalized Security Product Evasion Methodology

Conference:  BlackHat USA 2018



The presentation discusses a formalized methodology for subverting endpoint security products, using Sysmon as an example. The goal is to evade detection and tamper with the product at every step during an operation.
  • Evasive adversaries aim to avoid detection
  • The presentation covers detection and subversion methodologies
  • Sysmon is used as an example of a security product to subvert
  • Strategies for subverting data collectors are discussed
  • Vendors should focus on resilience against threats targeting their products
The presenters wore ridiculous outfits for charity, which they acknowledged was awkward for them. They emphasized the importance of transparency in sharing tradecraft to prevent nation-state adversaries from having complete control over it.


While security products are a great supplement to the defensive posture of an enterprise, to well-funded nation-state actors, they are an impediment to achieving their objectives. As pentesters argue the efficacy of a product because it doesn't detect their specific offensive technique, mature actors recognize a need to holistically subvert the product at every step during the course their operation. Sysmon - a security tool used widely by defenders as well as several security vendors makes it a great target in which to demonstrate a formalized approach to evasion and tampering. This talk will cover host footprint analysis, evasion, tampering, and rule auditing/bypass strategies. Specific strategies covered will include attack surface analysis, determining evasion "paths of least resistance", and identification of narrow, "exploitable" detections. By the end of the talk, it will become evident that the strategies applied to Sysmon can be easily applied to any security product. Are security product vendors preparing themselves to be resilient against threats specifically targeting their product? Should they be? It is inevitable that capabilities will be developed against security products. Armed with that knowledge, how should vendors respond? You be the judge by applying a more systematic methodology to assessing security products.