Ollie Whitehouse

The subtle (or not so) modification of permissions in IaaS, SaaS, Active Directory, high level objects or filesystems for persistence is an orders or magnitude problem manual signatures likely won't scale to meet.

This tradecraft by Alh4zr3d is pain ..

https://www.reddit.com/r/blueteamsec/comments/11p7ky0/windows_a_fileless_persistent_local_privilege/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button

Windows a file-less, persistent, local privilege escalation backdoor and detection approach

​ sc.exe sdset scmanager D:(A;;KA;;;WD) Setting the security descriptor on the service manager to allow anyone to start SYSTEM...

reddit
Mar 12, 2023 at 8:56amWeb
Show threadOllie WhitehouseMar 12, 2023

I deliver two MSc modules, one of which covers this type of scenario and the complexity of the challenge..

Sounds easy doesn't it?

Show threadFritz AdalisMar 12, 2023
@ollie_whitehouse
Holy crap, we'd never find this. And I can't even get the helpdesk to reimage machines after a compromise.
Show threadOllie WhitehouseMar 12, 2023
@FritzAdalis in EDR you trust..
Show threadFritz AdalisMar 12, 2023
@ollie_whitehouse
The ones that report, yeah.