Category: Purple Team
-
AppLocker Rules Abuse
AppLocker was introduced by Microsoft in Windows 7 to enable organizations to define which executables, scripts or installers are allowed to run in their environments. AppLocker can reduce the attack surface by enforcing rules that allow only trusted executions. As a result, malicious code is prevented from running. It should…
-
EDR Silencing
Modern Endpoint Detection and Response systems depend on persistent, bidirectional communication with their cloud management console, enabling them to continuously report suspicious activity and receive updated instructions or response actions. If that communication is disrupted, the EDR continues to collect telemetry locally, but it can no longer generate alerts to…
-
Bind Link – EDR Tampering
The Bind Link API enables Administrators to create transparent mappings from a virtual path to a backing path (local or remote). The Bind Link feature was introduced in Windows 11 and according to Microsoft it should be used to improve application compatibility by making files stored in a network share…
-
LSASS Dump – Windows Error Reporting
The Windows Error Reporting is a feature that is responsible for the collection of information about system and application crashes and reporting this information to Microsoft. Windows are shipped with the WerFaultSecure binary that is used by the Windows Error Reporting service, and it is signed by Microsoft to collect…
Purple Team 