Cc @markrussinovich @SwiftOnSecurity @Heurs FYI Interesting research on how attacking SYSMON. 
-
-
-
There are an infinite number of ways to subvert Sysmon if you have admin privilege on the server. This is a cat and mouse game that's not winnable.
- Još 1 odgovor
Novi razgovor -
-
-
https://twitter.com/tdr_local/status/1146682628466040832?s=19 … I noticed the allocated number is no longer in Microsoft website?
-
Seeing that as well
Kraj razgovora
Novi razgovor -
-
-
ah so you're basically unloading filter driver cool
-
Yeah, exactly. There is some functionality to hunt for changes from default, but it all boils down to fltlib!FilterUnload.
- Još 1 odgovor
Novi razgovor -
-
-
*adds to my obfuscation* Thanks
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Somehow I get process termination events for sysmon reliably and I am pretty sure I can also event and alert on this I will find you
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I love the name
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.