Kernel
Sensecon 23: from Windows drivers to an almost fully working EDR
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint Detection and Response) is a kind of security product that aims to detect abnormal activities being executed on a computer or a server. When looking for resources about how EDR’s work, I realised that, even if there is a lot of literature available about EDR’s, there aren’t many articles explaining…
Filter-Mute Operation: Investigating EDR Internal Communication
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a Windows driver and its user-mode process. Here are some details about that journey. Attackers could use Windows kernel R/W exploit primitive to avoid communication between EDR_Driver.sys and its EDR_process.exe. As a result some EDR detection mechanisms will be disabled and make it (partially) blind to malicious payloads. This blogpost describes…
Page 1 of 1