Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
submitted by /u/digicat [link] [comments]
Articles tagged with: #edr
Clear filter
Using EDR-Redir To Break EDR Via Bind Link and Cloud Filter
EDR-Redir uses a Bind Filter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the Endpoint Detection and Response (EDR) 's working folder to a folder of the attacker's choice. Alternatively, it can make the folder appear corrupt to prevent the EDR's process services from functioning. submitted by /u/Cold-Dinosaur [link] [comments]
Shifting from reactive to proactive: Cyber resilience amid nation-state espionage
In recent years, the cybersecurity industry has made significant strides in securing endpoints with advanced Endpoint Detection and Response (EDR) solutions, and we have been successful in making life more difficult for our adversaries. While this progress is a victory, it has also produced a predictable and dangerous consequence where threat actors are shifting their
Threat Hunting tools
I am SOC Manager looking to purchase tools that can assist our team with Threat Hunting. Other than EDR and SIEM is there anything anyone else is using they find valuable? submitted by /u/Powerful_Film_9409 [link] [comments]
SSL C2 bypassing EDR - Demo of SIEM detection + Detection as Code deployment
Hey everyone, I put together a video showing something I think many blue teams deal with: encrypted C2 traffic sailing right past EDR. In the demo, I run an SSL C2 connection that the EDR completely misses, then show how to detect it using SIEM. The second half covers building a detection rule and pushing it to the SIEM via a Detection-as-Code pipeline. What's covered: Using indicators in SIEM to spot the C2 sample Writing the detection logic Automating rule deployment with a DaC pipeline...
Question about CS MDR
I recently talked to CrowdStrike about unifying SIEM + EDR + MDR under their platform. I was honestly shocked to learn just how much response they're capable of like removing registry keys or take other remediation actions per endpoint, based on your policy. When I asked how often they can run an incident to completion without my team's involvement, they said something along the lines of "nearly every time." For those of you who are fully onboard (or have been) with the full CrowdStrike stack:...
Question about CS MDR
I recently talked to CrowdStrike about unifying SIEM + EDR + MDR under their platform. I was honestly shocked to learn just how much response they're capable of like removing registry keys or take other remediation actions per endpoint, based on your policy. When I asked how often they can run an incident to completion without my team's involvement, they said something along the lines of "nearly every time." For those of you who are fully onboard (or have been) with the full CrowdStrike stack:...
Looking for career progression advice
Hello folks, like the title says, I am looking for some advice. I am currently working as a security consultant for a small MSP that gives freedom to study and skill up and my career development talk is going to happen soon. What career path/education would you suggest in your experience for a person with 4-6 yrs of experience in SIEM, EDR and DLP solutions? I don't really have much experience in firewalls or networking. I am kinda being seen as the go to SIEM guy but do wish to broaden my...
Is the helpdesk an "unsolvable" security problem?
Feels like we spend millions on EDR and firewalls, but our real weak point is a 10 min phone call to a Tier 1 agent. Are we just stuck in a cycle of training and hoping for the best or have you seen controls that can actually fix this? Scattered Spider has been very effective at exploiting this submitted by /u/robograd [link] [comments]
Trellix products are unbearable
Honestly, I wouldn't wish them on my worst enemy - Mainly the McAfee-side of their stack. Nothing works properly. All you end up doing is opening endless support tickets that either never get resolved or take months to close. Their DLP has been crashing Microsoft Edge for users for over a year and it's still not fixed. The SIEM is so clunky that I feel like pulling my hair out five minutes in. And the so-called EDR? Useless. You can't reliably search for anything on it. What the hell, man....
F5 BIG-IP Breach: 44 CVEs That Need Your Attention Now
Partnering with an EDR vendor after a nation-state has already stolen your source code isn't innovation - it's a gamble. You don't build a fire extinguisher while the house is burning. You find every spark before it becomes the next inferno. Key takeaways: F5's BIG-IP is used to secure everything from government agencies to critical infrastructure. The theft of BIG-IP source code and undisclosed vulnerabilities by a nation-state actor is a five-alarm fire for national security and puts all...
EDR vs Competitors
We are looking at switching from Taegis MDR to just EDR, I use crowdstrike falcon currently as NGAV but would like to consolidate the portals if it lines up correctly. Taegis EDR/MDR flags scripts, commands, and user interaction more than crowdstrike's AV and that's fine, does crowdstrike's EDR compare with the same kind of detection as Taegis? submitted by /u/Digimon54321 [link] [comments]
CISA Warns Of Rapid7 Velociraptor Vulnerability Exploited in Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert on October 14, 2025, highlighting a critical vulnerability in Rapid7's Velociraptor endpoint detection and response (EDR) tool. This flaw, stemming from incorrect default permissions, has already been weaponized by threat actors to execute arbitrary commands and seize control of infected endpoints, amplifying risks for
EDR-Freeze Tool Technical Workings Along With Forensic Artifacts Revealed
A recent analysis from researcher Itamar Hällström has revealed the technical workings and forensic trail of "EDR-Freeze," a proof-of-concept technique that temporarily disables security software. By abusing legitimate Windows components, this method can place Endpoint Detection and Response (EDR) and antivirus (AV) processes into a temporary, reversible coma, allowing attackers to operate undetected. How EDR-Freeze
RealBlindingEDR Tool That Permanently Turns Off AV/EDR Using Kernel Callbacks
An open-source tool called RealBlindingEDR enables attackers to blind, permanently disable, or terminate antivirus (AV) and endpoint detection and response (EDR) software by clearing critical kernel callbacks on Windows systems. Released on GitHub in late 2023, the utility leverages signed drivers for arbitrary memory read and write operations, bypassing protections like PatchGuard to target six
Microsoft Defender Vulnerabilities Allow Attackers to Bypass Authentication and Upload Malicious Files
Critical flaws uncovered in the network communication between Microsoft Defender for Endpoint (DFE) and its cloud services, allowing post-breach attackers to bypass authentication, spoof data, disclose sensitive information, and even upload malicious files to investigation packages. These vulnerabilities, detailed in a recent analysis by InfoGuard Labs, highlight ongoing risks in endpoint detection and response (EDR)