Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore advanced techniques for manipulating Event Tracing for Windows (ETW) streams and exploiting Endpoint Detection and Response (EDR) systems in this 54-minute conference talk from BruCON Security Conference. Learn how to inject custom events into ETW streams to create non-existing telemetry data that challenges the trust placed in EDR tools. Discover safe methods for blue teams to replicate attack telemetry without executing risky processes on production systems, while understanding how red teams can exploit these same techniques to mislead incident analysts. Examine the demonstration of telemetry event injection and event capping exploitation, showing how overflow in event generation can cause Microsoft Defender for Endpoint (MDE) to disregard subsequent logs, including those from genuine threats. Understand how automated risk assessment can lead to tenant access revocation for affected devices. Delve into parallel research that reverse-engineered the device onboarding flow to create and onboard fake devices into MDE, enabling full configuration extraction and log acceptance without code execution requirements. Master techniques for creating unlimited devices with custom names and simulated user activity from any identity, making these devices indistinguishable from legitimate ones while opening possibilities for blue team deception and disruption scenarios.
