cR0wFuck this unnamed EDR.
EDR: Suspicious file modification detected. Anti-Ransomware Protection enabled.
Me: What's the file that was modified?
EDR: IDK.
Me: What process modified it?
EDR: IDK.
Me: How was it modified?
EDR: IDK.
Me: Who was the user logged on at the time?
EDR: IDK.
Me: Did you prevent the file modification?
EDR: No, just reporting it. But here's the hostname.
Billy O'Neal@cR0w@infosec.exchange I'm still waiting for the threat EDR supposedly protects from despite it being mass deployed all over everything.
One would think after the CrowdStrike incident someone would have had to better explain by now.
Graham Sutherland / Polynomial@cR0w@infosec.exchange more of an ED than an EDR
Jernej SimoncΜiΔ οΏ½@cR0w@infosec.exchange Reminds me of Windows Defender (the regular one in Windows 11): threat blocked, click here for more info; after clicking "No recent detections"
(the fix was to boot to Safe mode and delete some directory)
@cR0w@infosec.exchange just curious, what EDR do you use? splunk? wazuh? security onion??
cR0w@gsuberland@chaos.social BRB, creating an EDR startup with a little blue pill as the logo.
cR0w@adisonverlice@tweesecake.social I don't want to go into detail here but it's one of the more popular ones.
cR0w@adisonverlice@tweesecake.social I don't want to go into detail here but it's one of the more popular ones.