Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
320x100 Itcentric
Crowdstriker 970×120

Tag: edr

From Debugging to Breaking: Turning Crash Dumps into EDR Kill Switches

Alex Necula 24/09/2025

I have been working for several years as a System Engineer, and one of the tasks I handled was managing Citrix PVS. One of the issues with PVS was investigating dump files. The only way to generate a complete dump file was by using the DedicatedDumpFile option, which is available as a registry key under HKLMSYSTEMCurrentControlSetControlCrashControl. A significant obstacle when the DedicatedDumpFile is enabled and configured is deleting it, because it is always in use by a process. The crash dump is created by the Windows kernel (ntoskrnl.exe) in cooperation with the Crashdmp.sys driver. To guarantee that the file is always contiguous,

How Threat Actor make EDR’s harmless with a reboot

Alex Necula 22/11/2024

I became aware of this technique like 9 months ago, and now I see this on a attack in the wild conducted by Qilin Ransomware Gang, so it’s time to make it public. One of the most important security things in EDR’s is the possibility to intercept calls to the kernel. For this purpose, EDR’s vendors use MiniFilter Drivers that load on boot. But what happens when these drivers are forced disabled by attacker? The attacker can peacefully make kernel calls without being intercepted by EDR’s. When the Windows load a MiniFilter Driver , there is a order to load them ,

Category