This blog post breaks down a taxonomy for endpoint security products. It suggests using complementary feature set descriptions, each with strengths and weaknesses, rather than a generational definition with concentric features.

Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx