Mike Manrod
@CroodSolutions
CISO and adjunct faculty, focused on finding problems and fixing them. The basics are still the most important aspect of a good security program.
EDR-on-EDR Violence 1/🧵 @BushidoToken called out that EDR products were being abused by threat actors. @Shammahwoods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. @techspence @UK_Daniel_Card @Jhaddix github.com/CroodSolutions…
Detections engineers, threat hunters, you should be putting controls in place for ‘Bring-Your-Own-EDR (BYOEDR)’ style attacks
EDR-on-EDR Violence 1/🧵 @BushidoToken called out that EDR products were being abused by threat actors. @Shammahwoods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. @techspence @UK_Daniel_Card @Jhaddix github.com/CroodSolutions…
Free trial abuse isn’t just for cloud/saas providers
EDR-on-EDR Violence 1/🧵 @BushidoToken called out that EDR products were being abused by threat actors. @Shammahwoods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. @techspence @UK_Daniel_Card @Jhaddix github.com/CroodSolutions…
When **cough good EDRs go bad... Or this is why we can't have nice things. Another alternate title, tools aren't always the answer.
EDR-on-EDR Violence 1/🧵 @BushidoToken called out that EDR products were being abused by threat actors. @Shammahwoods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. @techspence @UK_Daniel_Card @Jhaddix github.com/CroodSolutions…
Interesting thread by @CroodSolutions on using EDR to kill EDR
🧵2/ We noticed a few problems immediately: - Multiple EDR/AV vendors allow for unverified free trials. - An attacker-controlled (trial) EDR can be used to kill the actual EDR (Cisco Secure Endpoint can kill Elastic Defend and Crowdstrike Falcon Protect). - Sometimes a new…
Security needs to be aligned with business goals, and these days one of them is strong initiatives to get developers to adopt AI coding tools. To stay ahead, be thinking about hardening and best practices for those. Idc if you personally believe in them, business does.
EDR is rmm on steroids
EDR-on-EDR Violence 1/🧵 @BushidoToken called out that EDR products were being abused by threat actors. @Shammahwoods & I realized a free trial of an attacker controlled EDR can be used to kill the existing EDR. @techspence @UK_Daniel_Card @Jhaddix github.com/CroodSolutions…
🙏🙌
Reminder: “not real hacking” is cringey & shows how insecure you are. Not just emotional insecurity with your need to “protect” a word, but also the insecurity with any system you are responsible for due to all your blind spots. Real adversaries will get access no matter what…
Added a new tool to: powershellforhackers.com/tools/revshell/ ⚠️Please Use Responsibly⚠️ You can use this to instantly generate an obfuscated reverse shell in powershell that i have personally used to beat EVERY single EDR out there right now. I've added some pretty cool stuff to my website…
#FF of #InfoSec & #CyberSecurity professionals @0dayCTF @CroodSolutions @TCMSecurity @JackRhysider @Alh4zr3d @AccidentalCISO @rana__khalil @joehelle @Jhaddix @CSKIP71 @d0rkph0enix @seclilc @GarrGhar @endingwithali @TaelurAlexis @runasand @InsiderPhD @I_Am_Jakoby @TheMsterDoctor1
Resharing this useful catalog of various EDR products "shell" and response functionalities by @cbecks_2 related to the Thread discussion below 👇 github.com/cbecks2/edr-ar…
There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)
Testing this scenario now with @Shammahwoods and expanding our AutoRMM framework to include some EDR/SIEM agents as we speak. We can confirm that at least two such products so far let us set up a trial without any verification. We should have some testing scripts for at…
There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)
There’s various reports of cybercriminals abusing CrowdStrike RTR, the SentinelOne installer, and the Wazuh SIEM Agent. Seems we could do with a new @MITREattack TTP for this threat. Should be a concern for orgs running any of type of EDR/SIEM agents. (Sources linked below)
𝖀𝖜𝖀 𝖀𝖓𝖉𝖊𝖗𝖌𝖗𝖔𝖚𝖓𝖉 Sinaloa [Teaser] 0:43 ─〇───── 0:43 ↻ ◁ || ▷ ↺
My CISO wants me to force my employees to get a security certification so I'm getting them all TLS certificates from letsencrypt Checked the checkbox, boss