InfoGuard Labs

If you can read the detection rules, evading them becomes a lot easier. New write-up on decrypting Cortex XDR behavioral rules and abusing Global Whitelists by @p0w1_. TL;DR: just put ':\Windows\ccmcache' in your command line. Fixed in Agent 9.1. labs.infoguard.ch/posts/decrypti…

Abusing Cortex XDR Live Terminal as C2 We reverse-engineered the IR payload and found ways to route EDR traffic to attacker-controlled tenants or custom servers. Living off the Land #LOTL with EDRs. Full write-up by @p0w1_ 👇labs.infoguard.ch/posts/abusing_…

Need a SYSTEM shell? Just ask your EDR! CVE-2025-13176: ESET Inspect Connector looks for an OpenSSL config in a user-writable path. It’s an easy LPE that loads your payload directly into the EDR process. by @p0w1_ labs.infoguard.ch/advisories/cve…

New blog: hunting reflected .NET assemblies at scale with Velociraptor, detecting CLR patching, and dumping in-memory payloads for triage by @mgreen27  #DFIR #Velociraptor labs.infoguard.ch/posts/clraptor…

We've published technical details for CVE-2025-51682 and CVE-2025-51683 – two vulnerabilities in the time management software mJobTime that lead to unauthenticated RCE via SQLi by @dario_weiss: labs.infoguard.ch/advisories/cve…

We noticed some misunderstandings about the described vulnerabilities. We've updated the blog post with a clearer summary of the attacks and added a new attack chart to show the attack flow. The attacks directly target the Defender cloud endpoints. They can be executed without being on the targeted host after obtaining the machine ID. labs.infoguard.ch/posts/attackin…

New blog post by @p0w1_ : We looked into Microsoft Defender for Endpoint's cloud communication and found multiple vulnerabilities. Want to intercept isolation requests as an unauthenticated attacker? Or upload hidden malware to IR? MSRC: low severity 🤷 labs.infoguard.ch/posts/attackin…

Advisory with technical details published for CVE-2025-10363 by @p0w1_. It is an deserialization-based unauthenticated RCE to SYSTEM with a CVSS score of 10.0 Read more: labs.infoguard.ch/advisories/cve…

Enhance your DFIR workflows in VDI environments. Use Velociraptor with virtual clients and remapping to automate VHDX profile analysis. Read more: labs.infoguard.ch/posts/automati… #DFIR #Velociraptor #ThreatHunting #Forensics

We've published technical details and a PoC exploit for CVE-2025-47187 and CVE-2025-47188 – two vulnerabilities in Mitel SIP Phones that lead to unauthenticated RCE: labs.infoguard.ch/posts/cve-2025…

Credits to @p0w1_

Code and results: github.com/ig-labs/defend…

New blog post: Fuzzing Microsoft Defender's mpengine.dll using snapshot fuzzing (WTF, kAFL/NYX). We uncovered several out-of-bounds read & null dereference bugs that can crash the main Defender process on a file scan. Details -> labs.infoguard.ch/posts/attackin…