Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
TM RedHotCyber 320x100 042514
Crowdstriker 970×120

Author: Alex Necula

From Debugging to Breaking: Turning Crash Dumps into EDR Kill Switches

Alex Necula 24/09/2025

I have been working for several years as a System Engineer, and one of the tasks I handled was managing Citrix PVS. One of the issues with PVS was investigating dump files. The only way to generate a complete dump file was by using the DedicatedDumpFile option, which is available as a registry key under HKLMSYSTEMCurrentControlSetControlCrashControl. A significant obstacle when the DedicatedDumpFile is enabled and configured is deleting it, because it is always in use by a process. The crash dump is created by the Windows kernel (ntoskrnl.exe) in cooperation with the Crashdmp.sys driver. To guarantee that the file is always contiguous,

Ransomware Gangs weaponize Windows Defender Application Control (WDAC) to disable EDR products.

Alex Necula 13/01/2025

In the past days we saw that Ransomware Gangs use WDAC to disable EDR products. I have known this type of attack for a year when a guy posts a similar technique on Twitter, but this is the first time that was used in Ransomware Attacks. So, it’s time to explain how it works and how to check it. First, the WDAC is a feature of Microsoft that is very similar to App Locker. We need to download Application Control Wizard from Microsoft webpage. After we install it, we can open it and define the policy. Here we can do two things,

How Threat Actor make EDR’s harmless with a reboot

Alex Necula 22/11/2024

I became aware of this technique like 9 months ago, and now I see this on a attack in the wild conducted by Qilin Ransomware Gang, so it’s time to make it public. One of the most important security things in EDR’s is the possibility to intercept calls to the kernel. For this purpose, EDR’s vendors use MiniFilter Drivers that load on boot. But what happens when these drivers are forced disabled by attacker? The attacker can peacefully make kernel calls without being intercepted by EDR’s. When the Windows load a MiniFilter Driver , there is a order to load them ,

Category