My key takeaways
- EDR loader: may execute shellcode
- Most EDR are on cloud
- Receipe to pwn such EDR:
- get IP’s for the vendors (usually whitelisted)
- create a windows firewall rule to block these IPs
- EDR pwnd
- Receipe to pwn such EDR:
- EDRs are blind to WSL(2) since 2018
- Files >50MB are usually ignored by EDRs
- Rust, GoLang, Nim to bypass EDR
- A lot of maleware ist still written in Delphi
- EDR look for comments in code
- no comments, no cry
Env
- Provided by BHIS
- Presenter: