Category: Purple Team
-

AMSI Provider
The Antimalware Scan Interface (AMSI) is a Microsoft control that directs PowerShell content to the installed antimalware engine or EDR to conduct a scan and identify malicious indicators. However, for functionality purposes Microsoft permits third-party applications to register AMSI providers with the operating system in order to communicate with the…
-

Windows Service
Windows Services are a common target for adversaries because they provide a reliable mechanism for executing code with elevated privileges, maintaining persistence, and blending malicious activity into normal Windows operations. Abusing Windows services for persistence is not a new technique, and most Endpoint Detection and Response can detect malicious modification…
-

QoS Policies
In Windows, a Quality of Service (QoS) policy is a rule that handles outbound network traffic. Specifically, it is used to cap the outbound bandwidth of a process, port, or protocol. Organizations can configure QoS policies through Group Policies, MDM, or PowerShell. Threat actors with elevated privileges on the asset…
-

WinGet
WinGet also known as Windows Package Manager, is Microsoft’s command-line for discovering, installing, upgrading, configuring, and removing applications on Windows. It is commonly used by Administrators and developers to automate software deployment and system setup. However, it can be abused to proxy execution and evade detection. Threat actors can execute…
