Speaker

Daniel Feichter

Daniel Feichter

Infosec Tirol

Actions

Daniel Feichter works since a few years as red teamer and penetration tester in Austria. His focus is on Windows environment red teaming, pentesting and research. Among other things, he is intensively engaged in AV/EDR systems under Windows OS. At the end of 2021 he decided to start his own company which is called Infosec Tirol (https://www.infosec.tirol), with which he focus on product independent offensive security services to improve the IT-Security in companies in Austria.

Master of Puppets Part II - How to tamper the edr?

A talk about strategies how to tamper edr products under Windows. Also as administrator it isn't always as easy to find a way to bypass good edr products. For example, you were able to comprise your first host in the target network and you also where able to escalate to a local admin. On the host you see, that there are open high integrity processes from an domain admin and you want to steal the token of the da or dump the lsass process. But also as admin you are note allowed to disable the edr because it is password protected. Instead of bypassing the edr we try to find a more or less general path to tamper edr products in user space and kernel space, that we as red teamers are able to avoid prevention, detection, telemtry collection by the edr, host isolation by the edr and edr repairing of a partly tampered edr system. To learn about the strategies we have a closer look at the different components from edr products in user space and kernel space under Windows. We try step by step to understand the relationship between the differente components (processes, services, reg keys, callbacks, drivers etc.) and by that we try to find a way to completely disable an edr product by tampering necessary components from the edr.

Daniel Feichter

Infosec Tirol

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top