Home / Companies / Elastic / Blog / Post Details
Content Deep Dive

Detecting and blocking unknown KnownDlls

Blog post from Elastic

Post Details
Company
Date Published
Author
Gabriel Landau
Word Count
1,287
Company Posts That Month
20
Language
-
Hacker News Points
-
Summary

The blog post explores a still-unpatched Windows privilege escalation vulnerability that allows attackers to execute highly privileged actions typically reserved for kernel drivers by exploiting the KnownDlls cache. The vulnerability involves a cache poisoning attack where attackers can add a DLL to the KnownDlls cache using a bug in the DefineDosDevice API, thereby bypassing security checks. The post details how to detect such attacks in real-time using a Windows driver and Elastic Endpoint Security, focusing on code integrity violations within Windows Protected Process Light (PPL). It introduces CI Spotter, a proof of concept tool that detects and prevents these attacks by terminating offending processes and highlights how Elastic Security can be configured to monitor and alert on these violations.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Developer Experience 6 219 103 41 +14%
Real-time 2 1,004 320 104 +5%