da_667lmao. https://labs.infoguard.ch/posts/decrypting-and-abusing_paloalto-cortex-xdr_behavioral-rules_biocs/
people all like "BYOVD to bypass EDR".
reality: I changed some metadata, and the filename of the executable and dumped lsass.
EDR detects weird shit going on
reality: just drop your payloads into \Windows\ccmcache and you can do whatever.
WinterKnight 
@da_667 I love dropping unobfuscated payloads into exception folders