"RISC architecture is gonna change everything" - Hackers (1995)

Remember to tell your friends that On-Premise Exchange Servers are just Domain Controllers with 0days that people put on the public internet!

Microsoft also has some exclusions for Citrix in their ASR whitelisting that you can abuse to bypass ASR to dump lsass, one in %temp% which is pretty handy.

About a year ago I dumped some of what appear to be a variety of S1 whitelisting classifiers from the process memory of SentinelAgent.exe, but did not dig deeper or test any out. gist.github.com/adamsvoboda/f6… There may be some interesting dat in the binlog files as well:

Just wanted to shout-out zimnyaa for the amazing work on noWatch, a convenient little tool for testing EDR detections on generic implant behavior and a console for quick disasm to check hooks. This tool was a huge help in my testing a year ago. github.com/zimnyaa/noWatch

Goes unbelievably hard soundcloud.com/ytcracker/ytcr…

Well there goes my AS400 research 😭 I have been exploiting this issue for a number of years. Didn't have time/resources to look into it. Good job Silent Signal 👏 blog.silentsignal.eu/2023/07/03/ibm…

What EDR products (that aren’t MDE) run on Windows 11 ARM64? SentinelOne bombs out during install.

This is handy because you can use it to get minidumps of PPL processes without exploits like PPLFault or loading a driver, and it's not detected because SentinelAgent.exe does the dump itself.

Just saw zimnyaa updated noWatch with some new features! Nice work — check it out if you haven’t already.

Thanks to this tweet x.com/adamsvoboda/st… and the idea from this x.com/adamsvoboda/st… I'm cleaning out what looks like the whole whitelisting classifiers, (and far from only) list and will release it very soon. Thanks, Adam Svoboda for the awesome work :)

x.com/i/article/1958…