Two Seven One Three

278 posts

Two Seven One Three banner
Two Seven One Three

Two Seven One Three

@TwoSevenOneT

Chief Security Officer (CSO) || Security Researcher at https://t.co/YsorB5YEAu || Penetration Tester || Red Teamer || Social Engineering Awareness Trainer

Katılım Eylül 2024
2K Takip Edilen5.1K Takipçiler
Sabitlenmiş Tweet
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events #pentest #cybersecurity Github: TwoSevenOneT/EDRChoker
Two Seven One Three tweet mediaTwo Seven One Three tweet mediaTwo Seven One Three tweet media
English
24
180
758
116.2K
Karkas
Karkas@CDC_FI·
@TwoSevenOneT Double checked Trellix Agent, too. Works, no updates, no Alert Transmission. Client looks dead in Server Console
English
1
0
1
30
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events #pentest #cybersecurity Github: TwoSevenOneT/EDRChoker
Two Seven One Three tweet mediaTwo Seven One Three tweet mediaTwo Seven One Three tweet media
English
24
180
758
116.2K
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
@EAehorn I think you should determine which process handles the connection task to the MDE server first. I've already included it in the list, but I'm not sure it contains all the MDE processes
English
1
0
0
15
Elmar Aehorn
Elmar Aehorn@EAehorn·
@TwoSevenOneT Does it have to do something with Tamper Protection being turned on? Does the setting bypass the QoS policies set?
English
1
0
0
7
Karkas
Karkas@CDC_FI·
@TwoSevenOneT OK, double checked with another client. It worked against tanium. Maybe more than 20 QoS Policys at the same time are too much. If i only use the few Tanium processes your PoC works against it
English
1
0
1
111
Karkas
Karkas@CDC_FI·
@TwoSevenOneT Sure, but what do you want to hear. Tanium only consists of two binaries. I added them, rebootet and Client was still able to speak with the Server, Accept incomming request and send Alerts ¯\_(ツ)_/¯
English
2
0
0
85
Powell Jo
Powell Jo@XanacR74233·
@TwoSevenOneT I sincerely apologize for any inconvenience caused. I believe this was a misunderstanding and kindly request a review.
English
1
0
0
25
wr4pped
wr4pped@M43LS70M3·
@TwoSevenOneT looking at process explorer under MsMpEng trying to download security intelligence will open MsCmdRun and a svchost process followed by increased network bandwidth usage inside process explorer. its always 10s of KB to a few MB
English
1
0
0
31
ioan
ioan@_i04n·
@TwoSevenOneT EDRUnChoker - registers a permanent WMI subscription with a 5-second timer that runs an embedded VBScript (fileless) deleting any MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles. github.com/sbousseaden/ED…
English
2
0
2
355
Two Seven One Three
Two Seven One Three@TwoSevenOneT·
@0x534c Nice 👍 Can you still remotely control the client after it becomes inactive?
English
1
0
2
744
Steven Lim
Steven Lim@0x534c·
@TwoSevenOneT Good job Pal 👍 It did silent my MDE for a while until my detection kicks in😅 phew!
Steven Lim tweet media
English
1
2
10
1.2K
Ista
Ista@IstaPee·
@TwoSevenOneT @RossMichaels328 @Defte_ there are some cloud-derived detections and blocks that CS does somewhat retroactively, and those would not happen once the EDR is blinded. but the core ruleset lives on the endpoint and will block/detect things even without network connectivity.
English
1
1
0
57
Karkas
Karkas@CDC_FI·
@TwoSevenOneT Does not work for Trellix Endpoint Security (AV, not EDR) 10.7.20.14066 Does not work for Tanium Threat Response Agent (EDR) 7.6 Does (!) work for Trendmicro Deep Security Agent (AV, latest Version)
English
1
0
1
417
Mike Nolan
Mike Nolan@mike_nolan__·
@TwoSevenOneT Doesn't work on Defender XDR choking the following; mssense.exe msmpeng.exe nissrv.exe senseir.exe sensendr.exe sensetvm.exe mpdefendercoreservice.exe
English
1
0
1
322
Rahman
Rahman@0xRhman·
@TwoSevenOneT Great work as always! Thank you for the article!
English
1
0
1
636