By-design AV bypass with "dev drive" 😅
I really like this feature!
Update your detection rules if you want to spot this...
And what fsutil devdrv actually does? Here you have it:
1. devdrv enable -> FsEnableDevDrive=1 in CCS\Control\FileSystem
2. disallowAv -> FltmgrDevDriveAllowAntivirusFilter=0 in CCS\Control\FilterManager
3. clearFiltersAllowed -> FsFlags + FsGuid in CCS\Control\FileSystemVolumes\{VOLUME_GUID}
4. trust -> DeviceIoControl(FSCTL_SET_PERSISTENT_VOLUME_STATE, PERSISTENT_VOLUME_STATE_TRUSTED_VOLUME)
And you can enjoy the bypass without even touching fsutil.exe 😎

Conditional ACLs, making the same file allowed for one app, denied for another one... 😮
I guess I know where I will dig during next weeks... 😎

🤔

New release of VolatileDataCollector has arrived. A LOT more details about DLLs loaded (thank you daem0nc0re for inspiration!), no other changes.
64bit DLLs for now, but WOW support is coming soon :)
Enjoy: https://github.com/gtworek/VolatileDataCollector

Do you detect IIS Application Pool credential dumping by looking for "/text:*"?
Time to update your rules with undocumented /show, /@t, and /@text.
BTW /config will do the job as well, but it is not so funny, because it is documented. It may be funnier if you replace /config with undocumented /@config or /@cf.

Hello World!
And a short video about using iFilters as C2. Enjoy!