raptor 

RIP one of our favorite techniques to bypass #PaloAlto #Cortex #XDR 🤷

https://labs.infoguard.ch/posts/decrypting-and-abusing_paloalto-cortex-xdr_behavioral-rules_biocs/

Decrypting and Abusing Predefined BIOCs in Palo Alto Cortex XDR - InfoGuard Labs

The Behavioral Indicators of Compromise (BIOCs) of Cortex XDR contain numerous exceptions, including global whitelists that can be abused to evade detection even when using simple and well-known TTPs.

InfoGuard Labs
Mar 24 at 5:25amWeb
Show threadViss1d ago
@raptor heh, on a gig a year ago i found something similar with trend micro cuz it was just plaintext in a local db of some kind. the dirs didnt exist, so if you just create them they become the whitelist :D
Show threadViss1d ago

@raptor holyshit

../

hey @reverseics @cR0w @da_667 @Dio9sys get in here :D

Show threadcR0w   🏴‍☠️1d ago

@Viss @raptor @reverseics @da_667 @Dio9sys Okay yeah that part is nice, but this is perfection:

There will always be a catte-and-mouse game between offensive and defensive security.