Red team guy at @SpecterOps | Aut viam inveniam aut faciam

USA
Joined June 2010
Filter
Exclude
Time range
-
Near
Matt Hand retweeted
We've noted our findings after a couple of years auditing #Windows #Defender Attack Surface Reduction events. Hopefully it will help anyone considering block mode. Being able to use the credential stealing/lsass rule was the surprise for me. medium.com/palantir/microsof…
12
143
323
Replying to @byt3bl33d3r
Yep! For example, Sysmon is registered at 385201, which is one of the ways that Shhmon locates it in case the default name has changed. While these altitudes are registered with MSFT, they aren't enforced. The mini filter can be moved to a different altitude that isn't taken.
1
0
7
It's also worth noting that these are just the minifilters and not the primary kernel drivers used by EDRs.
1
0
4
Show this thread
Replying to @spotheplanet
Great work as always! 🍻
1
0
2
Great work! Your post does a really great job of explaining how the ELAM driver works with the service to do the collection and clarified a lot of the finer points for me. I also love the tool's name 👏 I'm going to update my post with a reference to yours today.
2
0
2
That's good info! I just tested myself by changing a running cmd.exe to use the PsProtectedSignerAntimalware signer flag, but I'm restricted and can't execute anything afterwards. Any idea what's up?
1
0
0
I assume the EtwTi* providers in the kernel are secure ETW? Any way to get info from the providers from user mode?
1
0
0
Replying to @jdu2600 @cobbr_io
@dwizzzleMSFT Are the kernel providers available to vendors?
1
0
0