Joe

@CyberCakeX 👏🏻

After Months of Development, FINALLY ready to share: Harden System Security🎉 ✅ Complete System Hardening ✅ Security Posture Analysis ✅ All-in-One Toolkit ✅ Built-in Intune support for Scalability ✅ Beautiful Modern UI ✅ CLI support github.com/HotCakeX/Harde… #Cyber #Windows

@IAMERICAbooted More is better right? 🤣

Someone said today they are going to get MDE+AV installed along side 3rd party EDR+AV. Go ahead summer child. Go ahead. Don't listen to the people who already did this 5 years ago and know what problems it caused. But sure, have your fun thinking you know better.

New video: deep dive into Defender for Endpoint/Antivirus settings. - what every one really does - what “good” looks like - gotchas - nuances And why some of the important ones are “hidden”. Watch: youtu.be/R8btJ_SjwVk

@CyberCakeX @Microsoft @MVPAward @BelaLior ❤️

I'm honored and super excited to be accepted as @Microsoft MVP for the 2nd year, this time in 2 new categories!! Shoutout to @MVPAward and @BelaLior for accepting me in their community. ❤️🙏🏻 Been working on something big, will share more dits soon 😇💯 mvp.microsoft.com/en-US/mvp/prof…

@reprise_99 That’s and toys requiring 22 batteries and have no volume control.

When another parent gifts your child a 10-dollar craft set from Kmart that has 10 million beads, one kg of glitter and 400 metres of thread that you will continue to find around your house until the end of time

@reprise_99 🤣

How’s the test system configured? Is my favorite unanswered question.

@Cyb3rMaddy How’s the test system configured?

🔥 BYPASS WINDOWS DEFENDER XOR-obfuscate a Sliver C2 payload on Kali, forge a stealth C++ loader, and drop a reverse shell on Win10 in seconds. OUT NOW: youtu.be/lC9zh3_S-zg

@malmoeb This is another example of “how is the system configured?”

I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed). The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk. However, as soon as I tried to copy the dump to my Kali machine, Defender jumped into action, prohibited access to the LSASS dump, and removed the file to the quarantine. And here is the catch. I browsed to the following folder: C:\ProgramData\Microsoft\Windows Defender\Quarantine In the ResourceData folder, you will find different sub-folders (or not, if Defender never quarantined something on that host), each folder containing a quarantine file. The files are encrypted with a static key that leaked years ago, and this 10-year-old code snippet is still sufficient to decrypt the files back to their original state. [2] Long story short: I copied the encrypted file to my Kali machine, decrypted it using the Python code from [2], and extracted the credentials and hashes with pypykatz. [3] Classic example of "No, it's not enough when your AV blocked or removed a threat". As you can see, an attacker can easily get the LSASS dump, even if Defender removed it from the disk ¯\_(ツ)_/¯ [1 ]ired.team/offensive-secu… [2] raw.githubusercontent.com/malmoeb/DFIR/r… [3] github.com/skelsec/pypyka…

@SecurityAura @nas_bench “How’s the system configured?” Never fails haha

@nas_bench Anything to add @trk_rdy ? 😂

If you claims you bypassed an EDR, please show us the Cloud connection status. If its "disconnected" -> See gif below. Also as a new standard, when you demo a bypass claim, do not show the desktop but instead show us the EDR UI an activity tab of the machine.

@reprise_99 @elonmusk Shhhhh…..accept it

Hey @elonmusk can you use the power of this new US government to investigate this Lakers Mavs trade for us all? Thanks 🙏

@Do0g7e @DebugPrivilege DM me details

@DebugPrivilege you still got pals in MSFT? got an interesting submission MDE is missing...nice bundled cobalt strike, nitrogenloader with MSTeamsSetup.exe

@HuntressLabs FWIW - Disabling notifications doesn’t impair Defender

🥓 Authenticated onto the VPN from a suspicious Eastern European IPv4 🧀 Checked the Domain Admins group and cleared Windows Event Logs 🌭 Then impaired Defender, deployed a reverse shell disguised as a legit binary, and set up a Tor service for persistent RDP access.

A threat actor broke into a Wisconsin food factory’s network Our SOC saw every move they made 👇

@dwizzzleMSFT Facts

Vertical tabs are the way.

@reprise_99 Should say “IR” instead of water.

Those health professionals were right after all, drinking two litres of water a day has given me much more energy

@NathanMcNulty @YongRheeMSFT It’s the proactive perf part I’m not super familiar with as the last 4 years or so of IR work it was always ad-hoc, mixed tooling situations we needed to troubleshoot so we knew the machine and generally how to repo perf issues.

@trk_rdy @YongRheeMSFT Should always start with a clean slate... But there's no proactive performance reporting, so orgs bring exclusions over because "we don't wanna risk it..." Poor Yong Rhee has already worked with one of these, but hopefully I can save him a call next month on something else :p

OK, now we're cooking :) Will have to publish a blog on setup, but this is pretty awesome Done with the part to collect EstimatedImpact events from MPLog and send back to a Log Analytics Workspace in a way we can query Next is the performance analyzer output 😎

@NathanMcNulty Oh boy haha, that’s usually the time to start with as clean of a slate as possible. @YongRheeMSFT and recommendations here? Seems like there would many variables to this. Let me ponder on this.

@trk_rdy Proactive performance monitoring :) Very long story short, I keep getting orgs that migrate a freaking mess of exclusions despite best efforts... So I want to create a simple solution where we can identify/correlate potential issues and help create contextual process exclusions

@NathanMcNulty Very interesting question, is this something you’d collect ad-hoc or based on an event?

Yo @trk_rdy, got any recs on combinations of EstimatedImpact and time for cutoffs on what to collect from MPLog? I'm thinking default of 70+ with over 1K total time for reasonable volume and things to chase down Thoughts? :)

@reprise_99 Haha, garage fridge is for beer and venison. Certainly not a rich thing in the Midwest. For me it was a dining room, kids whose parents brought the food into a whole other room to eat was wild.

Growing up, what was the one thing you saw at someone else's house that you thought made them rich? For me, it was anyone that had an extra fridge in the garage just for drinks. I thought this was the height of wealth as a kid