ring0
Joined March 2017
Filter
Exclude
Time range
-
Near
batsec retweeted
Replying to @vysecurity
yarh dude- its kinda weak as a open source maintainer and so many followers i would think you knew better
1
1
24
batsec retweeted
ANSWER: I found out how to do what I wanted. Here's an awesome article by @_batsec_ blog.dylan.codes/pwning-wind… It turns out that you can just check every process for whether it contains the module wevtsvc.dll. Then you inject into that process and patch EtwEventCallback 5/?
1
4
8
Show this thread
Replying to @infosecuriti
Glad it's helpful. I've written a couple YARA rules to disable detection for some common techniques. Feel free to add any others you find useful.
0
0
2
Replying to @incredincomp
I wouldn't advice it
1
0
1
Replying to @ilove2pwn_
I'm not saying one can replace the other, just that AC does a much better job detecting malicious code, especially in the kernel
1
0
1
But that's obviously just one tiny area. Which is why I'm saying that EDR can learn from AC
1
0
2
Show this thread
Replying to @VessOnSecurity
I disagree, when cheat devs are having to bypass secure boot an buil custom hypervisors just to defeat anti-cheat then they must be doing something right.
0
0
1
Replying to @VessOnSecurity
I'm not saying that one can replace the other, just that EDRs can learn alot from anti-cheat
1
0
0
Replying to @two06
Dunno what ur talking about 👀
0
0
1
Replying to @two06
😳
1
0
2