Adversary Village

Daniel Feichter

Founder at Infosec Tirol

Daniel Feichter has his original background in industrial engineering, he started 3.5 years ago more or less as an offensive security rookie in an employed relationship. For different reasons he decided to start his own company in 2022 (Infosec Tirol), with which he focuses even more on offensive security like APT testing, adversary simulation and red teaming.

Daniel invests a lot of his time in learning and researching in the area of endpoint security. Based on the Windows Internals he tries day by day to better understand AV/EPP/EDR products on Windows and is always looking for new ways to bypass and evade them.

Talk: Master of Puppets: How to tamper the EDR?
Technical Talk Adversary Tradecraft

More and more companies realize, trying to prevent malicious activities alone is not enough, therefore more and more companies are using EDR products in their environment. From red team perspective this gets more and more a challenge, because even if the red team has achieved a local privilege escalation, most well known EDR products are still be very annoying. In the last few months we saw a lot about bypassing EDRs, but what about possible ways to disable the main functionalities from an EDR by targeted, controlled tampering from specific key components from them? What EDR components can be a key element in Windows user space and kernel space to disable the EDR main functionalities, but without relying on an uninstall password, uninstalling the product or using the Windows security center. And how can we as red teamer not just get rid of prevention by the antivirus module from an EPP/EDR, instead we also want to get rid of detections (active alerts in the web console) by the EDR module, get rid of the telemetry footprint based on the EDR sensor, host isolation, real time response remote shells and EDR sensor recovery feature.