Attacking EDRs Part 5 - Multiple vulnerabilities are present in the communication of Defender for Endpoint with cloud APIs. Authentication bypass, spoofing of commands and data, uploading malicious data to incident responders and information disclosure.

Automating VHDX investigations can transform how DFIR teams handle virtual desktop environments. By integrating Velociraptor with a smart remapping workflow, this approach enables seamless analysis of virtual profiles, reducing manual effort, increasing speed, and ensuring consistent, scalable results across investigations.

Multiple out-of-bounds read and null dereference bugs were identified in Microsoft Defender by using Snapshot Fuzzing with WTF and kAFL/NYX. The bugs can be used to crash the main Defender process as soon as the file is scanned. Most are unpatched, but none appear exploitable for code execution.

This post describes a DoS vulnerability affecting most Windows EDR agents. The vulnerability is an issue in the handling of already existing objects in the Object Manager's namespace.

The second part describes the process and results of the EDR driver security analysis of Palo Alto Cortex using manual analysis and Sophos Intercept X using snapshot fuzzing. Only minor vulnerabilities were identified (CVE-2024-5905).

This article gives an overview of the attack surface of EDR software and describes the process to search for attack surface on EDR drivers from a low-privileged user.

To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments.

To gain insight into common issues and patterns of misconfiguration, we analyzed 250 PingCastle reports collected from Incident Response cases and Compromise Assessments.