红队眼中的EDR排行榜
2024-3-26 15:49:16 Author: mp.weixin.qq.com(查看原文) 阅读量:22 收藏

最近知名红队专家Melvin langvik(@Flangvik)和红队专家们一起对各种终端检测与响应(EDR)解决方案进行排名和讨论。

1. 红队普遍认为Symantec、Cisco AMP、McAfee等传统杀毒软件在EDR方面很弱,应该排在最低级。

2. Flangvik和一些红队分享了自己绕过某些EDR的经历,如Sentinel One、CrowdStrike、Microsoft Defender等。

3. 大家讨论了EDR方案的可配置性很关键,默认设置通常比较弱,好的配置和管理员很重要。

4. 几个受到更多好评的EDR有:Kaspersky、Cortex XDR、Elastic EDR。观众们认为它们绕过难度更大一些。

5. 最后的排名是:S级别只有Arch Linux(开玩笑),A++级别有CrowdStrike和Cortex,其他的在A、B、C、D等级。

6. Flangvik强调EDR只是工具,最重要的是熟练使用它的安全人员,以及整个防御体系的成熟度。

这张图展示了一个针对终端检测与响应(EDR)解决方案的趣味排行榜。

1. 排行榜从高到低分为S、A++、A、B、C、D和LOL(Laugh Out Loud)等级。其中S级最高,只有Arch Linux一个(开玩笑),LOL级最低。

2. A++级别有Palo Alto的Cortex XDR和CrowdStrike两个方案,被认为是目前最强的商业EDR。

3. 排在A级的有Elastic和微软的Microsoft Defender for Endpoint。

4. B级有Kaspersky、SentinelOne、WithSecure和Cybereason 等几个方案。

5. 传统杀毒大厂的方案如Symantec、Cisco、McAfee、FireEye等则被列入了最低的LOL级别。

6. 最后还专门开了个"实际风险"级别,把Fortinet单独列在那里,暗示其产品存在诸多漏洞。

整体来看,这张排行榜比较偏重攻击者视角,反映了攻防社区对不同EDR方案防御能力的主观评价,但并非严格的测试结果。图中还提到,EDR工具的效果很大程度取决于实际的配置和管理水平。

完整讨论文字稿:

coming back with a smack beat marathon i'm a killer on the track never modern soft coming back with a smack last year fools never lost his back thirsty for blood even more just like thaton the trackhey what's up everybody how are we doing today let's see why hello why am i hearing myself that's interesting i think let's see intermission hey what's up guys can you hear me you good i think that's just echo actually i don't think that's i thought i was hearing myself on monitor for a second there but i think just echo in the roomSup guys, how are we doing today?Is the music in the background still too loud now?Or is it fine?Give me a heads up Great, don't want it to be too loud, don't want it to be distractingokay so hype's up guys so we're doing uh thank you so much for the follow wait i can't see the thing frick give me a second reason to that i guess thank you so much for the follow okay so today is a fun one this guy looks like you're too kind you stop this right nowToday is a fun one.We're essentially doing what we did last time, but we're doing EDR solutions instead of C2 frameworks.I think that was, or I know that was a requested thing that we started popping up towards the end of last stream.Wow, I look like a terrible, sorry guys.CrowdStrike was MDN Cortex.Good night, bye-bye.Safe call.I think I need a big fat disclaimer on this one.So obviously this is sort of a meme, right?We're doing this for fun.There is probably some legitimacy in what I'm saying.I think at least from like the top of the spectrum to the bottom of the spectrum we'll be creating today.I think there definitely is like at least some legitimacy, but you know,I haven't tested all of these EDRs extensively I've run up against them on engagements it's going to be very very configuration based meaning that you know one EDR solution might suck because they haven't set it up and configured it properly and then then you know and then the same solution might be really good once they once they actually configured it properly right so justJust a heads up on that.This is a meme.Don't get too offended if you work for any of these companies or whatnot.It's fun.This is for fun, guys, okay?uh but i yeah and i'm also really relying on the input of you guys so i finally learned how to do the polling system i have to create a poll essentially on on um on uh on twitch we can you guys can help me decide where these edr solutions are placed hey what's up uh logan um and also yeah so these are my essential excuses to not get cancelled on twitter yes i i agree they're they're they're 100 they areAlso, a couple of... I don't want to say cop-outs, but...Things I want to get out of the way, so there's a donation bar.If you want to donate, you can.There's no demand.You shouldn't do that.If you have way too much money, if you just cashed in your tenth no-click zero-day exploit for full chain for iPhone, then consider donating.Whoever donates the most... So the donation thing essentially works like an auction.Whoever donates the most today gets this t-shirt.I will ship it to you wherever you are in the world.I don't really care.This thing right here, it's evil jinx the the man in middle fishing framework Pretty sick think it's the size double XLNo, it's the size XL, if anybody wants that.So that's just a joke, just to get my ass to DEFCON and Black Hat, hopefully.Also, if you want to buy some of Rastamouse's amazing Zero Point Security Courses, consider using my affiliate code.It's in the description below, both on YouTube, Twitch, and Twitter and whatnot.I do actually get a decent kickback from that, and that's why the donation bar hasn't moved since last stream.I found out that I had, like, actually a decent chunk of affiliate kickback that I cashed out, so that's great.but just like whatever it's not a big deal it's just just in case somebody wants to if not this is just going to be a fun stream again full disclosure disclaimer this is just this is a joke don't get too don't get too much into it okay that's just uh wow the stream that was bought does not like you scouts like all ddr vendors are going whenSo, you know, I think if we can beat the Mitre testing thing, which is an absolute fucking joke in my opinion, then we've done something, I think.So let's just move into it.So I immediately see that I'm... Can you see WebRoot?I'm blocking the last DDR solution.Let's... I don't want to move that.But I can move this.Aha!Cool, cool, cool.So these are the, come on, don't be like this.These are the solutions we got to work with for today.A lot of familiar names.Just trying to adjust this a bit here so you can see.Okay.You will see it once, once we start picking stuff.No, this tier list is everything to me.I will base my decision based on the great, great.You, you totally got the point.Awesome.Thank you so much.So, uh,i think we're going to make polls for the hard ones when we're really unsure but i think the majority of these are going to be pretty much you know even uh and i'm really curious to see how many of these you guys have actually hands-on experience with because that experience is obviously going to vary widely between configurations but also what sort of ttps you're you're working with right some ttpslike like lul bins will never get past defender for endpoint like defender for endpoint in my experience are is great at detecting uh you know legitimate applications side loading non-sign as dlls or or other um technically side loading isn't a little bin but other little bin techniques as well much of the friend point is great at that but other solutions might not pick as heavy on thatAnd also, there's been a lot of discussions about what is a detection and whatnot.We're not going to touch on that.But in my opinion, at least from an attacker's perspective, we don't really necessarily care about the...Obviously, we don't want to appear in an ID world.We don't want to get detected in terms of like getting nuked, getting stopped, proactively stopped.And we also don't want to end up in the sim logs.But obviously, we're going to end up in the logs.It's just a matter of disguising it some sort of legitimate way and then not getting nuked initially.MD, calm down.No Sophos.Fuck, I forgot Sophos.Good call.Might add that.Hmm.Let's start with, I think, what I think.Let's pick out the worst ones.So if I were to pick the absolute worst EDR solutions, I would pick Symantec in the LUL category, 100%.I've run up against this especially on server platforms or platforms on servers a lot and I never really never really bothered me that much unless you I think I recall like dropping Mimikatz on disk against Symantec at some point it's up if I did it from like a legitimate chain or whatever Symantec is absolutely crapWhat TANIM is in EDR?I mean, I've definitely been told by clients that they have the TANIM EDR solution, but I agree.So I think anybody agree?Has anybody here ever met a semantic configuration that is like totally, that is actually comparable to the other more modern EDR solutions?Any semantic fanboys in the chat?Tanium is everything the company decides it is on the sales call.100% sure it is.I like it because you can right click disabled.Well, that's, yeah, Symantec isn't, and I think, like, is Symantec technically more like consumer-aware antivirus than it is an EDR solution?I mean, they definitely sell to enterprise customers because they have their, like, their central server hub on-prem, unlike a lot of these other EDR solutions, which are, like, 100% cloud-based.But I think Symantec definitely deserves the LUL category, 100%.Um, I think when I think about Cisco, I think about Cisco AMP also absolute ass, uh, in my opinion, never met anybody being able to configure Cisco AMP in a way where I couldn't do what I wanted.And, or, uh, I've also heard a lot of bad about the Cisco, like threat hunting portion of it, or I guess not threat hunting, but like actually investigating and using its tools to get the data you you're looking for.It's a, it's supposed to be a nightmare is what I've been told.never stumbled on f secure or with secure edr never run into that do you guys agree on the cisco everybody anybody got an experience with cisco cisco amp i think cisco amp let me google just so i'm not just blatantly stating stating false information here is cisco amp okay so cisco secure endpoint endpoint formerly amp for endpoints is the redr solutionMaybe it's gotten better then.Last time I ran into it, it was called Cisco AMP and it was trash.JP confirms.OS Square is the best EDR.I've never ran into Cyber Reason.Have anybody here ever ran into Cyber Reason EDR?Cyber Reason.That either tells me that it's bad or way too expensive for most customers.Their dashboard looks very carbon blackish.Is that the reason anyone?Cisco is junk, I agree 100%.I mean, to be fair, dumping LSAS against any, like, not super old, shitty DR solution is going to be hard.Like, just opening handles with the correct permissions to LSAS is going to get you nuked.And even if you do it indirectly through, you know, one of the 10 methods that is, I think there's still fair detections on it.And I honestly, when I was red teaming, I never really found myself wanting to do that.It might be a pentesting.Yeah.Ask else access.Why though?It's not another critique.Love the question, but else I, my opinion else is dumping else is just going to be one of those things that you're going to work real hard.If you want to get away with that on EDR solutions in general, just because it's, it's all.Yeah.Hmm.If nobody here have it, I haven't touched the cyber reason.Anybody here, any input on cyber reason?So skip outside the cyber reason, got nice results on last meter and everything that action.Okay, I think we'll give some reason benefit of the doubt in terms that we don't rate it then since we have absolutely none Like one of like one of very few ant edrs have like never run into Or at least that I'm aware of Let's just skip it though Let's do uh trend micro.Is that is that a little category as well?Or is that a d?I think that's a LUL as well.Honestly, is everything here, every legacy EDR solution just got to be in LUL?Threat micro is also, I think I've had issues, like they've implemented some decent application blacklisting stuff, but again, that's just pure configurational.That's not something you're going to run into as a default.But yeah, I think that's a LUL as well, honestly.Definitely LUL.Trend Micro is a D or a LUL for me.I agree.I think it's a LUL.I love the LUL category, by the way.It's a 10 out of 10.The top tier Trend Apex One solution is better than Cisco's.I put a D. D or LUL.Let's put it on a D then.100% on a D. Got to give it that D. Okay.Let's do a good one.Let's pick... I want to save CrowdStrike for last.I want to save Cortex, Defender for Endpoint.Let's do Sentinel-1.I definitely think Sentinel-1 is like top three tier wise.I've seen it in a very aggressive configuration where I definitely struggled getting anything into memory and it was pretty instant unlike Microsoft Defender by Endpoint where you can run something and then get nuked like a day later or like half an hour laterYou think S1 is an A tier?Let's put it in A for now.Let's do a poll.Let's do a poll for this one.Why am I putting my finger up in the air?I don't know.Let's create a new poll for this one.So... Where does Sentinel-1 belong?Tier S. S. Tier A. A.B. It's definitely A, B, or S, I think.Okay, let's try... Okay, I'm starting to pull.This is the first time I'm doing this.I'm a total streamer noob.Oh wow, it broke in the chat.So you just type !vote and then A or !vote or then B or !vote S. You guys got it.This is kind of cool.Let's move this thing here for now.It's a 50-50 split.We're getting imagery.This is great because now people can't be like, Melvin, you're dumb.I'm like, blame chat.Chat told me this is great.Chat's deciding at this point.We're getting a B. We're getting a lot of Bs here.That's really a B?You guys don't think it's an A?Nobody thinks it's an S?Please DM me all your bypasses for Sentinel-1 after the stream, guys.Once you bypass the anti-shell code mechanism.Sounds like you've done some extensive reversing.MRE.Yeah, if Centrum wants a B, what the fuck is an A?Cortex is A. I might agree with that.Okay, I think we got all the votes in.I think I'm going to close the vote now.And I think it's a B. Okay, we're setting the bar real fucking high here, guys, by putting Cental 1 on a B. Somebody's going to flame on me on Twitter for this, 100%.Okay.Since we mentioned Cortex, though.Do we think... I think Cortex is an A.I might even push it for an S because I don't actually think CrowdStrike is an S. Which is, I think is going to be the heavy hitter.I don't think any of these EDR solutions.Okay.I'm going to stop.I'm going to stop there.I'm not going to say that.You think Cortex is S?S tier?Do we need another vote?CrowdStrike equals lul.Then you got some savvy bypasses if you think CrowdStrike is lul.CrowdStrike is interesting because once you get past like the initial runtime detection and nobody immediately pulls you out from the log, it's going to take two weeks before CrowdStrike, what's it called?Rapid response or whatever.What's a CrowdStrike like external SOC helper service called?Overwatch.Yeah, yeah.Like Overwatch is going to give you a call two weeks later.Had that happened a lot on engagements.like weeks or even no weeks not months but like i've had definitely had clients being called like three weeks after the engagement ended and telling me that overwatch gave them a call and told them they were compromised cortex is an a or s i'm not gonna i'm not gonna say that for every obviously a techno bro not saying that that's the case every time again this is just my experienceCrowdStrike.CrowdStrike AV is awesome, but their EDR doesn't do much beyond their AV.I didn't quite get that.Oh, that's a cool, interesting skip.Palalto web UI sucks, but EDR is good.You can do stuff like brute force, site tool password, and then disable it.Wait, what are you saying?That Bitdefender is better than CrowdStrike?Cortex is an S I think we gotta... I think we gotta do a new poll for this It's between S or A for sure, I think, for Cortex I'm ready for another poll, guysAnd confirm Yes, so I agree with that 100% I have no idea how I I don't know how to pronounce the nick Emmerich So I'm gonna go with Emmerich So I agree with that, CrowdStrike is great at a lot of stuff, but they're not great at scripting stuffOddvar here is most likely going to have a talk.You know, Logan knows what I'm talking about when we're saying CrowdStrike is not good at detecting scripting stuff, but most likely Oddvar and a guy named Chris at TS is going to have a great talk.This Black Hat and DEF CON have to get accepted.That should highlight CrowdStrike and scripting.CrowdStrike just added a large amount of detection around Office macros just a few months ago.Even with macros being dead.Yes, I mean, once you stack Cortex with the Palo Alto firewall solution, you definitely have the network telemetry.But with that said, you know, you have the telemetry so you can trace it down, but at very few instances, I think, I think I can count on like one hand how many instances I've been nuked because of network telemetry alone.There was this one solution that did some AI metrics on my polling that fucked me up.But that was a very specific solution and it's not a mainstream one.And I can't recall the name of it.I mean, we're seeing A tier over S here.Tier.Why am I saying tier again?Tier.Tier for Palo Alto Cortex.I guess that's why it's an XDR, right?Because it has that implementation.What I mean if core, okay, so if Cortex isn't the S tier what the fuck is an S tier EDR solution?Linux we should do that.That's a meme 100% I'm gonna put fucking Arch Linux as the S tier EDR solution 100% I'm doing that Oh Shut up Logan you can't you can't come from Microsoft and be like your friend playing point.That's not okay.OhElastic?Elastic is the only EDR solution I know of that actually have some of their basic rules published.It's open source, right?CrowdStrike detected one out of three of my unit tests.That's actually cool that you do decent unit testing, Erika.On purple team, but there was none on visibility, so it takes a lot of configuration.I mean... Um...As long as you're a modern EDR solution and you hook the telemetry from more than the three most common sources, you're going to have the visibility.I guess it's just a matter of how you display it, how you show.Yes, Technobor, you're right.Tuning makes or break it.I actually, I don't think the toughest, okay, this is, believe it or not, the toughest client that I was ever up against had a shitty EDR solution.They had Silence.But they had configured that shit out of the moon.And it was extremely difficult to work against.I think I had to, I could not get in externally on the red team, I think I had to schedule my third assume breach implementation, or attempt to get onto it.CrowdStrike is solely configuration based, turn every setting on with aggressive and good luck.Also, stuff like execution hasn't been seen today, it's not going to respond when it sucks.Malwarebytes is SSS then.Okay, so I think we're actually ending on Palto being A. I'm gonna close that poll.Yeah, okay, so Emmerich is stating the, not the obvious here, but he's making good points.Again, we are approaching this tier list, this official tier list from a pure bypassable aspect or like working against aspect.We're not taking into account like how it is to set up or configure or price or anything like that from the blue side, so.So again, this is a joke of a list in terms of coming from an offensive security perspective and not a defense perspective.But it's a very good point, Emre.Okay, so I think it's a closing that poll, 100%.Cortex is decent.Cortex is leading currently.And I don't know, and you guys are going to have to persuade me to put something above that because, yeah.Checkpoint, I'm going to go out and say either Lul or Dee.um honestly i think it's a little might even be if we had it this is not going to be great but might i mean um if we had anything below blue i might have put it there i'm sorry teen toes deeper we got you work for uh checkpoint don't youCheckpoint is dog tier You should have a picture of a dog under LulSo the interesting thing about like NTDS dumps, I'm guessing you're referring to like most remote methods done through DCSync.A lot of EDR solutions don't stop that.Ooh, JP with the insights here.Talked to the internal checkpoint incident response team a while ago.They recommended their own EDR for playing whack-a-mole during an engagement, but not as a permanent solution.I've actually talked to, I know a great sales guy and I'm sorry I just said that.Yes, some sales people are actually not horrible.His name is Morten, shout out Morten from Palalto.And he talked a lot about that during incidents, they would deploy Cortex-E XDR in their max configuration to get control of issues.Yeah, I noticed that thing doesn't work.I don't know how to turn that off at this time, I'm afraid.I'm not sure about that.Hey, WhiteCyberDuck, what's up?Okay, I'm gonna make the executive decision and put Checkpoint on LOL.I don't, I think if you say semantic Cisco checkpoint to me, I'm feeling the same vibe.Oh, he's getting timeouts.Okay.Actually give me a second to see if I can fix that then.There we go.I turned that off.I turned that off.I just fucking turn everything off.Links are not okay.An emote, I'm not okay, but everything should be fine.I'm sorry Joakim.Another thing for Cortex is that their Linux telemetry is very important, but most companies don't really care about that.That's true.So on top of that, you know, following up on that topic, what EDR solution is actually decent for Linux these days?I know CrowdStrike also has an EDR implementation.Microsoft Defender for Endpoint I just saw recently sort of pushing ads about Linux telemetry.Finally, no more security in chat.none right there's a linux only edr there's an open source one clam av that i also forgot to include here that's an oversight for sure if you if you get that name be sure to post it in chat that would be interesting to look at at some point testing might make it might make a good content as well like testing linux edr solutionsThat's an AV, right?Okay.Okay, so Kaspersky Blit.Where are we putting our Russian EDR solution?I have zero experience with it, obviously, or ironically, having worked mostly with US clients, I have zero experience with Kaspersky EDR solution, which is fun, I guess.Oh, wow.Are you serious, Emmerich?But is it so aggressive that it is effective?Or is it just that good?I would love some insight.I think you're definitely the most... Like, we have multiple people saying S tier for Kaspersky.What?Russian backdoor is okay?All in favor of protection?what i mean white cyborg is sitting here like what is going on emmerich you're saying that it's easier to bypass crowd strike than it is to bypass kaspersky that is really interesting that makes me want to get my hands on kasperskyI think, obviously, it's my only experience ever.No, no, that wasn't Phil Frisky.I like a little bit of Putin in my EDR.That should be a t-shirt right there.That's a t-shirt very cool.Yeah, they put out really good research.That's true, Sabadek.i mean i i think all of these edr solutions have their own dlm they are their own userland hooks implemented in the process or their own and or their own mc provider i know crowd strike definitely has their own mc provider as well as the original one still being being uh in theHuntress EDR.So I didn't know Huntress was an EDR solution or heard about it.What I know about Huntress is that James Hammond works there, as far as I know.Embracare, you want some goods?I have a universal bypass for CrowdStrike if you want to know about it.DM me later in Discord.Huntress, right?Threat hunting 1 EDR.Okay, well, I think we should do a Kaspersky vote, since we have so many people actually claiming it's a decent DDR.I honestly thought it was going to be, where I put it, a C. Let's do yet another poll.Add poll.Brother Russia any good?Kaspersky?Kaspersky.So we got another pool, guys.They are so good that they do extra checks on DLLs and PE files that contains Russian languages.Lol.So they have an increased risk factor associated with binaries containing Russian language.That's really interesting, but probably also a really dumbass approach and effective approach to go about detecting stuff.Wow, that's cool.That's like makes me think about like KISS, keep it stupid simple or simple stupid or whatever it is Is it showing?No, it's showing Cortex, lol I haven't closed Cortex I think Complete, sorry about that Start fallSorry about that.There we go.We'll start it now.My bad.Yeah, we used XDR in the most RKZ things earlier.I mean, Cortex.Cool.Yeah, I, yeah, yeah.Makes sense.really glad we had Emrek in the chat here actually having much more hands-on experience like actually in lab with these EDRs than I have I only have experience like actually trying to get into them oh Dominic's in chatAny EDR solution is only as good as the thing behind it.Out of the box, our configurations are all pretty much from that.Yeah.So I think we put in a pretty big disclaimer in the beginning here that we're sort of approaching this from our experience with these solutions, if any, more than, you know, obviously.I said at one point that I ran up against Silence once and I was thinking because having ran up with Silence before that, it was going to be pretty meh.But then the guy configured it out of this world and it was really hard to deal with.So obviously configurable.I do think some of these EDRs like semantics is called checkpoint have like hardcore limitations of how much you could do with them.But for most modern EDR solutions like top five, yeah, it's configurable.I vote for S4K, but it doesn't mean I would recommend for a US or European patient company.So that's a really good input, Emeric.And I think I hinted at earlier that I said when I said that I used to work with a lot of American clients and none of them ever had Kaspersky, ironically enough.So I'm wondering if, yeah, that's a good point.Like, would you, would you, yes, Kaspersky will kill everything, but would you deploy it on your, on your system in Europe with sensitive data?Are you concerned about inside threats within the Kaspersky organization?I think, you know, the US makes the same argument with Huawei hardware, right?So, are you kidding me?If Kaspersky is B or C, then what kind of EDR do you all want?That is, I, again, I, yeah.So, right now it's a tie between S and B for Kaspersky.So, we need some more votes here to decide.D is sadly not on D and C is sadly not in the range you can vote for it.european banks are using kaspersky before let's ship them but that's interesting can we get a discord yeah so there is a fun week discord if you want to join uh it's it's i don't want to use the word dead but there's not a whole lot going on there yet i have plans for the future but right now it's uhIt's not huge.So if you guys want to go there and yell to each other, that would be great.I definitely appreciate that.Imitate a fuck.So right now it's, it's a B right now, Kaspersky.I am willing to override it though, based on Emmerich's input here.Because it definitely, like, if he says that, you know, he can get stuff past CrowdStrike easily, which is what I would initially think to be ideal A on S tier, but not Kaspersky, then that's really interesting.And then I'm really unsure about this B.right what is at the top then what is at the top like which of these cdr solutions are going to challenge cortex hereAnd again, since we have a lot more viewers joined right now, I'm just going to put the disclaimer out.This is a meme.This is for fun.We're sort of approaching this from a pure, not a bypassable standpoint, because that's just really inaccurate to say, but like having worked against these EDR solutions from a pentesting or Red Team perspective.And obviously, yes, it's going to be really, really configurationally based.And some clients might actually make the most out of the solution.Some might not.So just want to put it out there.Big fat disclaimer.Tekton Rose says, CrowdStrike MD and Cortex should be S tier.Sorry, Erika is not approaching it from a red teaming perspective.She's approaching it from a threat hunting and purple teaming perspective.I stand corrected.Thank you so much for that donation last time, Erika.I appreciate it.So you got... MDE, I don't like...So a couple of years back, I said that I think MDE is going to be the DDR solution to beat simply because Microsoft has all the telemetry they want.Back then, there were still trivial ways to get around, at least let's call it the default setup it comes with.And I just a couple of weeks ago had no issues getting around Microsoft Defender Point-to-Point at all.So I'm like, in my experience, I wouldn't put Microsoft Defender for Endpoint as an S tier.What does Chad's experience say?Do you guys really, would you guys struggle that much more getting past Microsoft Defender for Endpoint than Cortex?For me, it would be opposite.Like I would struggle probably way more to get around Cortex EDR than Microsoft Defender for Endpoint.And I guess one of the reasons is that you can rentally get access to Microsoft Defender for Endpoint as well.S when tuned.Elastic is an S. CrowdStrike video without Overwatch.So we talked about Overwatch before you came on and my experience with Overwatch is that they are typically late to the race.I've had customers be getting calls weeks after the engagement from Overwatch more than anything else.I have rarely had Overwatch affect an engagement.I never thought I would say this, but I agree with Dom on the MDE placement.I got chills right now.But I actually sort of agree with Dom on the MDE placement.I don't think it does much.Didn't CrowdStrike dismantle Overwatch?I saw some guys at Overwatch say they laid off the entire team.That's actually... I recall such a statement being made as well.Ten toes deeper.I mean, I gotta let chat decide here, and Kaspersky is apparently a B, even though Emmerich states that it's way harder to get around than CrowdStrike.But I guess this whole tier thing is just to piss people off either way, so it's fine.We'll let it slide.okay let's uh let's uh thank you so much for the follow what's the name sorry about that need to find my dashboard thank you so much for the follow where is it recent events thank you so much for the follow active activate dcaSo I think I'm going to wait a bit for Microsoft Defender.I think there's a lot of other ones we could put out.So let's do Fortinet.Fortinet, just like their... Oh, I don't want to say this, but if there is a brand that I feel just leaks old days every fucking month, it's Fortinet.I would... I would... I'm...Why would a customer of Fortinet keep their firewall solution when they probably have had the most zero days for their firewall solutions dropped the last couple of years?Like actually.Like actually.Can we do a minus one?So, welcome to chat, Hidim13.Thanks for the input.He says, been working with most of these.MDN trend has been the best to work with, which might not be what we are rating.No, we're sort of just lul-fuck-it rating these based on how hard it has been getting around them.But I appreciate the input.And, you know, somebody should probably sit down and actually do the math and get access.I mean, this isn't the thing you do during a two-hour stream.This is like a fucking master's degree if you want to actually decide which of these solutions are good or not.And obviously, we're not.Master's thesis.Wow.Master's thesis.That's what I'm trying to say.Actually doing this would be a fucking master's thesis.Is Fortinet bad?Fortinet Eagles Malware.Oh god, I love chat.I love chat so much.This series is so fun.I feel like we're talking about all the stuff that we just normally don't air because I don't know I it feels good to just decide on what is in the little category because I get a lot of questions by you know potential clients or clients you know what EDR solution would you recommend and what you have to tell them that I'm no expert and yada yada yada it's kind of cool new follower thank you so much mox researcher I appreciate thatAlso, just want to cop out here and do a quick one.There's sort of an auction going on right now, and nobody has entered yet.So if you donate any amount of money, and you're the one with the biggest amount donated at the end of the stream, I will send you this t-shirt.It's a very limited edition Evil Jinx t-shirt that I got from Mr. Kretzky himself.It's in XL, and the back of it says,It's really dope, so consider donating if you have way too much money.So Fortinet, probably gonna leave Fortinet at the LOL category.McAfee, you know, if you're coming here right now and you're telling me that suddenly McAfee is as good as hard as the bypass to Kaspersky, I will leave right now.McAfee is a D, if anything.McAfee S tier for the memes.That would be kind of funny.I am going to upload the Arch Linux logo though.100% as the S tier.Just got to do that.100% that is the S tier.there we go only strdr solution there is guys fucking linux mcafee is lol mcafee mcafee is a what the fuck tier mcafee is a d plus because the the crate is specialI don't get it.Creator is special.Lol.Rip.McAfee meme level.The hardest to bypass for me are Kaspersky and Bitdefender.Just endpoint bypasses.MDN Cortex, very good though.C tier.Wow.I love the fucking input, guys.This is so great.um so according to chat kaspersky ended on the b so we're closing that poll i'm going to leave it at a b i i'm not sure i agree and uh but but sure maybe you know what that's we can we can justify it being on the b just because nobody would ever deploy this without going to bed at night and thinking that the freaking secret russian service is on their serverHow many IT individuals deploying Kaspersky don't sleep well?That's my argument right there.We need somebody to testify on this.We need some IT people working for a company that runs Kaspersky to tell me if they sleep good at night or not.US, European based.McAfee's two tiers below Lul.Doesn't go further than Lul.But let's put McAfee at the Lul then.Oh.so uh how many it people sleep well period that's a good point very good point is it blacklisted for a reasonIt is blacklisted for a reason.Thank you.Okay, so it's blacklisted.That's new information for me.I didn't know.Every company on the West from Belarus is not sleeping well if they have Kaspersky.We don't, IT guy said.Put Elastic near McAfee.Really?You think Elastic?Okay, let's do Elastic.I don't think Elastic is that bad.like I mean from like a blue teamers perspective I would think this has like the best telemetry to look at and the best best way to decouple the telemetry okay I would put maybe elastic at an a or b elastic is pretty good elastic equals b elastic is an a plusBy the way, we can deploy a trial in five minutes for our lab testing.That's nice.I agree.Elastic has great telemetry.Elastic is B. Elastic is good.Props to Elastic for open source.That's so fucking true, Ben Carey.Like, statement.AB.Elastic is a B because it comes free with the SIM.I mean, I agree.I don't think I can argue with this.Elastic is pretty good.Even your favorite C2 developers will say that.Flashback to the whole paranoid ninja versus cold stack spoofing, whatever, to get around Elastic.And then it became like a back and forth blog post.When you make a contract with big US companies, you have to certify you did not use Huawei.Oh, Kaspersky.Lulu.Elastic is better than Cortex in my opinion.That's a... I mean, according to chat, that's a bold statement, but I wouldn't necessarily hardcore disagree with that.But I don't know if it's elastic in S tier.I'm seeing a lot of As.Fuck it.Let's do a pool, guys.That's what we're good at.We love pools.I forgot to complete the pool.Where does elastic EDR belong?wow i think i've never have had so many active chatters before this is amazing thank you so much for spending your sunday and doing this guys it's great it's really fun appreciate it if you're watching this on youtube make sure to subscribe and comment put the nasty comment why i'm wrong or whatever need that interactionNeed those hours.Actually, if you're watching on YouTube, please mute the video and put it on play and play it online so I can get the hours needed.That would be great.Thank you so much for the follow.Crow?Crow?Yes, it looks like Crow.Thank you for entertaining me Sunday morning.I appreciate that, Akon.Arkon?Arkon?I tried.I tried.A for effort.the the the the edr solutions in the lulz category will be sending angry emails by monday i've actually met a few people from elastic and they were great guys i met them as troopers um so i i agree i agree i agree i agree i agree thank you so much for the follow uh i missed it back no cop i appreciate thatWhat did the vote say?I saw that from... Oh, we have an overwhelmingly A's.So we're saying Elastic is an A by 80%.11 people voted A. That's, you know, two people voted B, one individual voted S. That's a pretty unified response to Elastic there.That's great.Closing that poll and completing it.Cool, cool, cool.What next?FireEye?I'm going to make a statement here.What do you guys think?FireEye C?Would Falco qualify to the list?Would be interesting to see if people have that ERL experience with it.Welcome to the chat, by the way, Cube.Good morning.So Falco, was that EDR solution that Emeric mentioned earlier, like a French EDR solution?falco oh interesting is that the linux one or wait is that the linux one it looks like the linux one uh i wished i wished elastic had something below platinum because eight to nine k per self-hosted node just just to get the better memory as stuff is stupidYeah, so obviously we're not discussing price points from these CDRs.If we were, then I think this list might have looked very differently.Or maybe not.I don't know.Oh, lol, I didn't notice you, Cube.I'm sorry.I've been ignoring you.My bad.You Swedes, right?The big missing one here is Sophos.It's used a lot in Europe.I've got some insight from a friend that worked at FireEye that I should end up in a LOL tier.Okay, okay.I'm hearing... No.Are you saying that FireEye is as bad as Cisco AMP and Symantec?Maybe a D?Leaked the deets.Deets or didn't happen, right?Can you link the guy on Twitter?I'm joking.Skelzec is about to drop an opinion.As he so frequently does.Sadly.Sophos should be added.Okay, fuck it, guys.You guys are... Sophos.Sophos EDR.Wow, I can't type.One bear and I'm gone.Wait, didn't this thing used to be yellow?I swear this thing used to be yellow.There we go.That's a good one.Thank you so much for joining in, Emric.I really appreciate it.Love your input.Who even uses FireEye?Everywhere I've been, it was decommissioned.Fuck it.FireEye is a lul.Sofus, then.Is it decent?Is that why you wanted it?I've never ran up against Sophos, I think.Nope.Most of my experience, honestly, has been with CrowdStrike.In the US, seen a lot of CrowdStrike.Seen some Sentinel one.I don't think I've even seen Cortex in the US on the clients I've been working against.Seen Silence, VMware.Defender for Endpoint Not that much US, I mean So far the experience is that in Europe There's a lot more Microsoft Defender for Endpoint than in the US US seems very CrowdStrike dominated At least in the clientele I'll be working against Cricketswhatever we come up here whatever we come up here today will be much better representation than anything else made available on this topic because edr vendors go above and beyond to deliberately make it impossible to get a good comparison on their products actually scale sack i obviously being being the guy sitting in the chair doing the stream i agree with youNathanium.I agree with you.I mean, the whole Mitre detection stuff, the rating is absolutely fucking bullshit.In my humble opinion, you should not buy an EDR solution based on the Mitre test.That is... That is...according to your right so one white cyberduck says it all here according to mitra they're all s tier either way so there isn't really any ranking none of them are bad they're all s tier doesn't matter what you pick lord gucci fire hey guys next sunday flan will be doing a special offensive dev stream and sharing some of his tricks uh actually flanwick will not be streaming next sunday because he'll be on vacation he's going to denmark on some easter vacation watching some esports stuffgoing to the, watching the Counter-Strike 2 Major, which is really nerdy, I know, but I'm really looking forward to it.So, next Sunday no stream, the Sunday after, yes.And we have to get back, sorry, we're off, tracking off right now, but this stream has to get back on the technical stuff, you know, I'm starting to lose it here.We have to do, you guys, we have to go back to where you would look at me fail for 15 minutes, you would all point out the bug in chat, and then we would correct it, and then I would blame you, 100%.We have to go back to that.According to Mitre, they are all shit.10 toes deeper.Why can't I read?I would agree with that.100%.Thank you so much for the follow.What's the name?Kitchay, Kitchay.Kidshay?Wow, I'm so bad, sorry.EFTDRs would classify as food products.They'll be shit down the next day.Going for what they do are made of.Yeah, so that's also been a big discussion point lately.Like we in the open source, we in the offensive security open source community, we share a whole lot of stuff, right?And we get critiqued for sharing that stuff because we're pushing the envelope or whatnot.But the blue side, despite from Elastic,doesn't do that imagine if if if cortex and and um some other major edr would like release some of their baselines for rules wouldn't that you know be greater good better than what we do when we uh when we uh release the open source offensive security stuffI forgot where we're at.So we're raiding Sophos.Are we happy with leaving Sophos at a B?I'm seeing C or B. And I know Ben Carey claimed to actually have experience with Sophos.Cortex rules are all in the agent.You don't even see them as a customer.Yeah, that's what you paid for, right?You don't want to know how it works.You just want to trust it to work.That was a joke.I mean, some people do that through signal detection, platform agnostic detection languages.Yes, I mean, all of these tools spit out telemetry that you could either pay or not pay, create further detection rules on.If you do some engineering, you can pretty come up with some generic good stuff.In my opinion, Sentinel-1 is better than Sophos.Sigma logic is how defenders share logic.I love that we actually have a... Glad to see the semantic in the LUL category.Yep, we all pretty much agreed.The one thing we have in favor so far, chat, is that we all instantly agreed on the LUL category.There were no discussions.The Trend Micro initially went in LUL, but then we gave it a D, which was better.But yeah, Symantec, it's legacy in my opinion.uh i i mean we're leaving sofas in zero b maybe we should just give it a c then since since it's it's empty i'm gonna leave it at a c for now usually last time we did this we sort of did a round up at the end and we ended up moving some because it didn't really make sense from like a rankings perspective that's where we added the a plus plus tier and then we put uh nighthawk and brutal down in the a tier because they paid and whatnotLet's do CrowdStrike then.I've been working majority-wise against CrowdStrike environments while working at TrustedSec.And my opinion is that CrowdStrike is very dominant in the U.S.EDR space.They do very well.Obviously, since they sponsor fucking Formula 1 drivers and cars and stuff.Or Formula 1, they sponsor Formula 1.But I think they're a bit overhyped, to be 100% honest.I think somewhere between A and B. I know CrowdStrike has a gap when it comes to scripting.At least in my experience, they're not that good when it comes to scripting.CrowdStrike got to be in the A tier.You're probably biased because you've seen them so much.True.They all have gaps with scripting.Probably true.S, come on.Really?Are we saying...No, I think Arch Linux has to be an S alone for the meme.I won't give CrowdStrike an S. There is no way I'm giving CrowdStrike an S. Sorry.It's a good question.Nothing is S, right?It's a good question.What is S if not CrowdStrike?I agree.But if I were sitting here alone, I would probably do something like this instead.Put Cortex as an S or Elastic as an S. I don't think CrowdStrike deserves the S. I am so sorry.we agree every agree um that's a brilliant fucking name potatoes are people do you crack me up uh let's vote we can vote let's fuck it let's vote we got really democracy tech number one we got really hard on that okay let's do crowd strike thenA, B, and S, and start the poll.Let's go, boys.PotatoesArePeople2, great name.Any opinion on ESET Inspect EDR?No, never ran up against it.Sad falcon noises.White cybernetic gunshot noises shooting stupid Burke.Oh, this humor, this chat right here.Is it bad that I shorted the little tier company's shares?I want to pin that comment so bad.Can I pin it?Yeah, by the way, we're doing work.I'm giving you guys stock tips after this, by the way.We're buying some stocks.As if.Did you guys... I'm assuming you're referring to...uh what's the guy's name on youtube the tech review guy who trashed that electric car and then the their stock just plummeted uh what was that again fisker yeah he he single his review on youtube single-handedly crashed the fisker stock that was so funny yeah mk mkbhd mkbhd that was so funnyLet's see Wasn't blue spawn and EDR in the blue team village made by red teamers open source probably discontinued remember it from DEFCON 28 I never heard about that, but that sounds cool.I know I think Rastamas sadly isn't in the chat today But I am fairly certain that he made a really like baseline proof of concept for some of his lab stuff.I ThinkPut CrowdStrike.Okay, everybody, let's short CrowdStrike stock and then I'll put it in the little screenshot.Everybody retweet.Easy money.Let's go.Long time nobody in little tier.Time to review Carbon Black.No one knows we agreed on the outcome with Flangvik before stream.It won't classify as insider trading.You're really putting me out there, aren't you, Skalsak?We have over a thousand viewers, which I do not believe.Again, YouTube, Twitch, Twitter combined.If you're just tuning in and being all like, wait, what now?This is sort of a joke.We're classifying EDR solutions based on the experience we have from the offensive security space and not from the price or configurability or deploying whatever.This is just more of a fun one.But yes, if your company uses an EDR solution in the LoL tier, I would argue strongly reconsidering not doing that.Everything else is discussable, but the LoL tier, I think we can all agree.I think we can all agree on the LoL tier.uh sometimes i wonder if edrs are trying to block red teamers or really threat attackers there i said it that's uh that's actually a really fair statement and i i think most of the time uh there's a big distinction there right erica so you haveSome people do attack simulations and then some people do attack emulations and they're very different, right?Attack emulations usually tries to mimic a known threat actor and their techniques with some spin and then simulations you just do whatever you want and you are your own threat actor and you try to be as funny as possible.Funny, why did I say funny?You try to be as advanced and sophisticated as possible and in line with what you express in a company.But yeah, I think you hit the nail on the head there sometimes in some cases.Both obviously, Erika.Yes, Flangvik, I made this meme for your channel.You can't send links.Can you send me the link on Discord Cube and I'll repost it?Sadly, I have links turned off because I don't trust you guys at all.I have you on Discord, right?Yes, I do.Hello.Link, please.Ark.Ark, yep.Nightwolf in the chat.Thank you.EDRs put atomic red team specific detections, otherwise customers will say that they don't detect everything like components X and Y. And you are actually sort of discussing a very important issue with this, is that a lot of customers will allow themselves to get amazed by the EDR solution showing them what they detect.like if if like um um the best way to know if your edr solution is working is probably to have a proper assume breach done or multiple obviously purple teaming yes yes yes but again purple teaming you're you're largely like there's there's ah there's this is a too much of a discussion i don't want to go into this this is not why we're doing the stream butMaturity is a key word here, right?Purple teaming will get you from the baseline a bit up and then maybe you do a zoom bridge to catch on more and like fine tune some more and then every time we do a pen test you fine tune and yeah, it's a maturity process, right?It's not an EDR solution.It's not something you deploy and then you will magically detect everything out of the gate.You will not.That's not how it works.Big distinction.Yes, yes, yes.It is the same for red teaming pentesting.At least there is a big overlap with lulbins, tdbs, etc.Correct.Bulldunsex says, for me, CrowdStrike is S tier because the majority of the time it detects actual techniques and not commands.That is a good point.Ideally, you would do both, right?But sure.Why you don't trust us?Is Wahoos and EDR is free?Anyone use it?Never heard about it.1000% people seem to agree with you, Erica.Arch Linux is 100%.100%, you cannot bypass it, impossible.No need for EDR, you just use Arch Linux, right?Erica is building a fan base here, I love it.Okay, we got a meme here from Cube.Oh god, are we really posting?This was a good one.10 out of 10 cube, 100% posting this in chat.Oh wow, that was a good one.oh wow that was a good one in my uh email the edr tool is nowhere as important as the team monitoring it correct the org coverage and the return of investment from the arc regarding incident in terms of block isolation so i 100 agree with you when when clients come to me uh sometimes and they ask you know what is the best ddr solution yeah i tell them you hire a really interested and what's the norwegian word i use an ill shellno idea what that is in english you i you hire an individual that actually cares about what they do and then you train that individual and you pay for pay for whatever that individual needs to get up to date and how stuff works and then you let that individual actually set up how you're supposed to do detectionAnd what I'm trying to get at is that there is no license.You cannot spend... You can spend a million dollars a year on EDR solutions.It will not fix your... It will not 100% get you the coverage you want.You need actually... You need boots on the ground.You need boots on the ground.You need people.You need experts.You need individuals.Oh, sorry.Rules of engagements.My bad.can you put with secure as a beat here i think they deserve some recognition not sure if anyone here can collaborate but i've worked there at their mdr for five years with secure have not i think i've heard but never ran up against favorite hands down and then that individual leaves to work at the fortune 500 you are yes you areYes, sometimes that happens, but then they will come back because they realize that working at the Fortune 500 company is fucking miserable.Sorry, I said it.Called the countercept.There's so much going on in chat right now.I'm having a hard time keep up.We got to move on.Time is running.So let's do WebRoot.I think I did some initial like way back I did some initial bypass testing with WebRoot because it was pretty cheap and now I'm starting to question myself if it's even an enterprise solution or if it's actually like an AV solution Whitsaker okay do we have a challenger for the S tier with Whitsakereverybody in the chat who actually works for any of these companies again this is a joke don't sue me this is a joke this is just for fun uh i just want the logo please oh probably epsilon okayOkay, that's a really bad photo frick frick frick frick How do I fix this this yes now there's not gonna look it's umokay thank you thank you for that picture with secure I appreciate you contributing to our turn list there we go okay so with secure what are we giving it we forgot about red root now there's so much going on chatWhittaker countercept is pretty solid.I agree.No, I don't know what to say.I've never ran into any of them.But if you say Dom, I believe you.And then.So we got one individual here saying that WebRoot is huge in the MSP market due to favorable deals for reselling multi-tenant management rather than necessarily efficiency.Cool.Ben, carry a generous assessment, in my opinion.Okay.So, Webbrit is lol then.Ice.Take your skills.Sorry for the people in chat who have been there since the start of the stream and have to keep listening to me saying that, you know, please don't sue me.I'm just... I see, like, we're 200 more viewers now than we were a couple of minutes ago.If this is not lying.So I just want to make sure everybody knows that this is for the meme.This is lulz.So people agree with Dom, BTAR is correct for WitSecure, cool cool cool Are we saying that WitSecure is worse than CrowdStrike then?We are?It's not an A tier?Yes Just you wait, when I post this on Twitter and then some individual at some company I rated is gonna be like No, how could you do this, yadda yaddaprepare for the worst always guys always uh with secrecy b that's why i'm since i have zero experience i'm just gonna trust dom and scapalookay silence again i have two very different experiences with silence first experience was that it was pretty much a little a little or d and then the second time around i ran into this individual who had configured silence out of his mind and it wasit's it was in a it was in a medical field not the medical field but it was essentially a hospital and the computers that were stationary in that hospital uh didn't run a whole lot of different things throughout the years right so he had a really really nicely tuned aggressive silence configuration and i was struggling 100 i was struggling with thatSo I, I, I can testify that silence has the capability to be it, but no, if, if most experiences you guys have with silences is not that then they're changing.People who do those products know exactly how they suck.Anyone does.Get the ad for this crack ad?Loldid they also have many false positives the company with silence so they didn't but again i think a reason they could have such an aggressive configuration was because that the the computer stationary that would be deployed onto were um again they were um like umtheir workflow didn't uh didn't introduce a ton of false positives or didn't introduce new stuff continually which is why they could tune that uh tune it that aggressively so no the point of contact told me that uh they didn't really have any issues i that was the first one of the first things i said is that you know is this a real configuration or did you tune it up for for the test or what's going on and he said no and he didn't have a lot of false positives with itIt's almost as if architecture and whitelisting was the answer all along.And yes, for the companies that have the luxury of being able to do that, and that's doable.But for a company of a certain size, traveling, going all over the place, maybe touching upon different fields, whatever, it's really hard.It's really hard to put that down in terms of what one user can and cannot do.And five years ago, everybody, or five years ago, 10 years ago, everybody was running as local admin, right?I was fine.And then we started introducing privileged access management, PIM and PAM solutions for elevating and requesting access.And then now it's all just company portal, right?You can't download or run any application outside of the company portal.And it's all progressing, right?As we had that.But then again, you have these shitty applications that do weird stuff.like if you if you obviously don't do it on your work computer but download a bunch of common applications on your computer and then just run uh process monitor and process explorer and just collect logs and you will see how much shady your common and daily applications do like invoke random as powershell uh dropping and loading unsigned dlls in app data like there's so much stuff that an attacker can analyze and blend into that's that's what makes it difficult rightSeems like the answer is breaking of the big companies and problem solved.Yep, 100%.Maybe the EXR was inside of us all along.EDR, okay.Cool, cool, cool.So, Silance, guys.I need a vote on Silance.I need some input.If nobody has had any major experience with Silance, I'm just going to put it in a C. A C or a B.I think if nobody in chat have ran into it, that probably says something about the solution.Nightwolf, everything was a random plugin that kept using clipboards to shuffle encoded PowerShell around.Totally benign, but look really odd.Right.That's like a class A example of how difficult it is.The real endpoint protection is the friends we made along the way.Okay, we're getting off track here, guys.so uh insanity says uh you know just understanding the business process app mapping is in my opinion the second hardest thing in org will do hardest being retroactively classifying data retention uh that's also a good point data classification data retention and that is like a paper mill of workbut uh it's it's important like especially with sharepoint being flat as and people just openly or overly sharing like we had did a cloud test or didn't assume bridge that pivoted into cloud a couple of weeks back and found that a director in this company had just shared her entire onedrive folder with the entire company with passports and social security numbers and marriage licenses and their freaking employment letter with their salary on it right so yeahWe got off track here I've never seen silence myself Only heard about it through colleagues And haven't heard anything negative about it That's kind of Doesn't say a whole lot But yes It's not lul It's essentially what's that saying Just throw the rest in lul and call it a day Let's do TTP next weekWe're gonna raid TTPs?No way, we're done.We're done raiding after this.We're taking a break and then we're doing a new round next year or whatever, but we gotta get back to technical stuff.I wanna code some stuff.You think Carbon Black is low?Okay, let's leave silence at a C because we didn't get enough input and I'm not comfortable giving it a D or a low.Let's do Malwarebytes.My first initial response is, wait, is Malwarebytes an EDR solution?I thought that was just like in consumer yes it is I thought that was I'm mostly familiar with Malwarebytes way back you could like boot an image from them to scan your machine offline or am I hallucinating did they have something like that way back I guess a lot more likeDemo Malwarebytes endpoint detection and response EDR Expand visibility across your business attack services with Malwarebytes EDR backed by proven detection results in the 2022 Mitre ATT&CK evaluation Fuck yeah guys Mitre MITRE is I guess the pronunciation there EDR versus AV But what about EDR, XDR, MDR?I love my radio voice.Let's close the pool for CrowdStrike, because that's done.Closing.Completing.A1, that's fine.Do we need a pool for Malorbytes?Like, show of hands, how many people have hands-on experience with Malorbytes?Finally, you're hallucinating shit like, yeah, I'm talking to yourself in an empty room for hours.I've seen cyber recent a couple of times.Not that bad either.So we got inputted.I've never seen it.I had it caught it.I had it.I had it catch nothing.I'm assuming you're saying public system conflicts are better than carbon black.Only inserts one post ransomware kill chain.Okay.Uh, so see them.or not are we saying it's so heavily like are we saying it's like essentially a post-compromise er thing that they used to lock things down more than anything else or okay okay fuck it then we're not doing malwarebytesSo good that you came in the chat Dom because we I started off with cyber reason and nobody had any experience with cyber reason So Dom I'll give you the full power of rating cyber reason everybody listening Dominic shell from MD tech is now stating that Cyber reason is the tear of drumroll, please What are we giving it?Don't cop out you can't come out now we got it.You got to lean into top quad.OhDon't chicken out.Come on.Give me a give me a rating here You're the only guy in childhood experience on it.Gotta give me a rainy Welcome to chat M2 RC welcome backDom is not giving a rating or he's typing Frank frantically I'm gonna assume the latter White cyber deck Erica it wasn't it was one password.They had an octa right I remember this they had an octa incident and ran the free version of Malibu bites and that everything was okay Dominic something something disclaimerDominic, you cannot pull the my employer thing.You are your employer.I'm kidding.Dominic, with the disclaimer of this is not the opinion of my employer, says I'm going to vote a B. So we're giving Cyber Reason a B. Dom is in the Twitter chat, it seems.I'm viewing multi-stream.You guys can't... Wait, can you see it, right?Yeah, you can see it in chat.He's on Twitter, I think.Oh, can we do... I mean, if you guys can peer pressure Adam Chester to get on the stream with me, I'll happily do single sign-on applications or single sign-on providers.I mean, not single sign-on providers, but sign-on providers, essentially, right?He did that amazing talk and blog post and, you know, been abusing that heavily internally at TS for a bit before he just moved on to Spectrum.Congrats on him, dude.Cool, cool, cool.Okay, so we got Carbon Black Defender and Bitdefender left.Microsoft Defender Endpoint, I'm going to give...um so again i said it at the beginning of stream we're way more more people oh almost 30 37 uh viewers now but uh Microsoft Defender BrainPoint in my opinion is probably the EDR to like watch out for or follow because in my opinion you know logically here Microsoft has all the telemetry literally all the telemetry and if they can get their ass around and stop renaming products and actually do something you know Microsoft Defender BrainPoint could be truly greatOkay, so again Microsoft, if anybody here, please stop renaming shit.We don't care.We just want to use your stuff.And we would also like the free stuff to come back, like developer stuff.We don't have to pay for it, that would be great.So we're getting ratings from Microsoft at the end point.We're seeing A, A, A, A. It causes me so much heartache.15 years ago at GovCo, we officially rebranded single sign-on to simplified sign-on because single was never, ever achieved.That is technically true, I guess.Together with Azure, Microsoft 365 stuff, MD is an A. I sort of agree.If you have the money to give Microsoft all your hard-earned cash, and you go for the full stack, and you also do manual stuff on top of, what's it called, the Sentinel-1, right?Then yes.Since apparently S doesn't exist, I vote A. So you think MDE is technically S then?You would put it there.Telemetry is pretty good and prevention is very strong.I agree on some levels.MDE is by itself decent, but combined with their full suite, Defender for Identity, Defender for Cloud, etc., it is really good.So I agree with that.I think we're going to leave it at an A. Like we're seeing an overwhelmingly A in chat.And like all the other solutions, the more you configure and do your own research, the better they get.And, you know, obviously, if you're a Microsoft house, it makes sense to have the two other accompanying products.the biggest downside being that Microsoft is probably going to rename this 10 more times before we do the stream next year like in the beginning it was called Microsoft Advanced Threat Protection and then it was the Microsoft then they did the whole thing Microsoft for identity or just Microsoft Defender and then it was the Microsoft Defender for endpoint andinsanity says forget the naming problem how about microsoft stop making securing the product cost one third to one one like half extra that's very true microsoft is is greedy when it comes to money for sure and it's also one of those things that i think sell really well because you have a lot of microsoft based consultant houses that will sell you these licenses because they get a cut just like with user licenses rightAs long as you're not using Cobalt Strike, Microsoft Defender for Endpoint isn't really a problem.Dom says, Skellsec says, Microsoft Defender for Endpoint reputation was bullshitting me for an hour and goated us.Rep, sorry, not reputation.Paying customer for weeks, they can suck it.Microsoft Defender for Endpoint should be higher than CrowdStrike because CrowdStrike just sits on AMSI.I disagree with that one.To be fair, half the time the wounds is their fault to start with.They want you to go to the cloud.I think Microsoft Defender for Endpoint deserves an A, but I do agree with Dom is that I personally, I haven't had a lot of issues.There's really specific things that you won't get away with from Microsoft Defender for Endpoint, including stuff like lul bins.And they also, last time I checked, has a pretty good detection for sideloading attacks.You know, a trusted application sideloading a non-trusted application and whatnot.But scripting is still a weakness at some levels.And, you know, stuff like XLL, which has been known for years and is nothing new.When generated with the correct tool, bypasses Microsoft Defender by endpoint just fine.Which is great.So Pavel says Microsoft input might not be as good as non-Windows machines.To be fair, I think we concluded earlier that all of these EDR solutions are ass on non-Windows machines.That being Linux.And I think that's probably one of the bigger gaps so far.Ensanti says, but we had 10 years of it.I'm not sure what your problem is, but the solution is more Azure committed spend.Ben Carey says, yes, executing Mimikatz from GitHub in memory is far too easy with MDE.So you'll probably get that stuff running, just probably patching MC, right?And you're good to go, but you'll get nuked off like half an hour or whatever when the cloud stuff kicks in is what I'm assuming.Microsoft Defender Endpoint, Cloud, AACR, Identity, sorry, and AACR, really good.Add VDAC, and then the normal things pop up easily.So yes, if you give Microsoft all the money for the full stack, you can do cool things, for sure.did we ever get that linux cdr i think somebody found it earlier in chat i'm essentially just like a bot reading chat at this point uh i can't quite see the name there laughing laugh laughing mantis markers of defend depends on the people behind it it can it it can be incredible but it can also be lol depends on the team putting the effort behind it but it's a full-time job managing actual productspolymorphism.Yes.And you know, you wake up, you go into your control panel and new name.Interesting.so again more new viewers we're we're we're just loosely for lulz rating these there's no actual science behind theirs we haven't tested them like we are we have a wide scope of experience with everybody everything in here and end of the day the EDR solution is itself it's not it's just going to be as unless you actually set it up and configure it accordingly to your organization Microsoft e-license stands for expensive Falco EDR yeah that was the Linux oneCool.Okay.So, uh, we have, uh, Bitdefender left because we decided to skip Alphabites.Uh, oh, VMware.Sorry.Forgot about VMware.Uh, Bitdefender guys.Do we want to do, uh, the final, uh, do we want to do a poll on that one?Again, is this a proper EDR solution?I hear Bitdefender.I think AV.Bitdefender endpoint detection and response, EDR.What is it?I swear if they refer to the MITRE thing again, that's just... Oh, Bitdefender actually probably didn't do good then on the thing since they don't refer to it.And some random company named them a leader in endpoint security.Wait, you're posting links again, Cube?Come on, behave.Where you at?Send it to me, I'll repost it.Next week is XDR, right?Nope.We're so done with the fucking tier lists.Goddamn, we gotta go back to doing technical stuff.He said... Most underrated product?That is up for surprises.For all I know, they are no longer around.They're doing stuff, I'm assuming.We're not ranking anything.I'm so tired of ranking things and then getting shit from the sidelines.It was really fun though.Obviously engaging since we had so many people in chat.It's fun.Guys we got it.We got to put a bit defender somewhere.Let's do a poll.I don't care.Let's just do a poll Okay, if nobody got any experience with it, we'll just I don't think it's like we're established.Nothing is an S tier, right?So you guys are thinking lower bracket?Let's modify this a bit here So you're thinking Tire Bb tear i keep saying tire so dumb tear let's do a final poll a b c d let's doIf we don't rank them, how will we know what companies to shit on on Twitter?It is a hot flaming pile of garbage.So D should be fine.D, and then I started the poll and we're seeing... Who the fuck voted S?You're trolling.You're trolling right now.Wait, there is no... No, fuck no, there's no S.What are you saying?You troll.You're trolling out here, giving freaking Bitdefender the S. Only Arch Linux is S. We established this.Are you going to be able to sleep tonight?Hopefully.Ah, this is fun though.It's truly amazing that we managed to engage so many people on a fucking Sunday to argue about overpriced AI wrapping, if looping solutions.We got an overwhelming D for Bitdefender, meaning it's in its right spot.We want the winner, no prisoners.Okay, let's do an MDE poll.So we got 70% on D, so I'm just gonna close this poll and then complete it and go back to Reno.And then... Final call.Okay, I'm gonna be specific to full stack defender because when we did Cortex, we sort of also assumed that it was connected to the Pal to Fire role, making it XDR or whatever.So I'm gonna do Microsoft Defender BrainPoint full stack, meaning the identity and the fucking, the cloud thing as well.Full stack MB.There we go, pull started.Whoever voted A is capping.This voiding stuff is the best thing I learned this week, I think.If you're watching this on YouTube or anywhere else, please consider subscribing to my YouTube channel if you want to see more dumbass content.I do actually have some educational videos up if you want to go look at them.And I'm hoping to make more now that I work in a Norwegian time zone and sleep normally and stuff.Not that that was bad, but yes, yes.You get it.Also, final call, guys.The thing about the t-shirt thingy is that we're having an auction.Nobody has entered yet.Donate to participate in the auction.Whoever has the biggest amount of money donated, meaning more than zero at this point by the end of the stream, gets this limited edition Evil Jinx t-shirt in XL.And the backside says, how much is this fish?Oh, fucking text.Give me a second.Yeah, if you donate one cent I will ship this shirt to you If it stands meaning if nobody beats you yes, then then you will get this I For I fucking forgot carbon black as well IWe're seeing a lot of A's and... We're seeing... No, guys, are you trolling right now?Are we putting MD in an S?S is... What?I'm going to get... I'm going to get fucked so bad on Twitter from this.Some of you are going to be like, no, CrowdStrike much better.Are we serious?You're trolling me at this point, right?Come on, guys.A squad.50-50 A. A squad.A squad.Come on.Come on.I can vote.I can vote.I can vote.No, what?Come on, AA squad!Thank you so much for the follow, LaughingMentus, I appreciate that.I should just close the pool right now before somebody jumps in with an S.no no i'm gonna leave this poll for a bit i want a i don't i don't think md deserves the freaking s tier at all you're just trolling trolling me at this point and most of the chat has already started talking about carbon black so uh my my impression with carbon black is that it's also one of these incident response tools that gets deployed more than something you actually run on everything anybody any experience with that that agreeSomebody... Why did you vote... You can't vote C. You have to vote A or B, Mantis.A or B or A. You guys voting B are just fucking this up because it's gonna be S. You can still change your vote.You can still change your vote.If you type vote and then again, it will change your vote.So if we decide that S tier is wrong, then... Oh, we got a new donation!Cube donated a single dollar.Thank you so much, man.No, wait.Erika!Erika again!Donating 13.37 dollars.Appreciate that.You actually want this t-shirt now, Erika.Or do you want me to keep it again?I will send it to you.This is actually a dope t-shirt, though.10 bucks, LordGucciFire.Thank you so much, guys.Currently leading is Lord Gutschifier.I'm afraid I'm going to have to ship this to the US, ain't I?Nsanti says, we have used it to enter response.We now run CrowdStrike, full stack MD, or something I haven't heard of, depending on the customer.Dom's saying he would have voted C. I'm going to go out on a limb and say I should have added it, but right now it wouldn't really affect it, right?So are we disqualifying Carbon Black?Fuck, I have to add C, don't I?Okay, I'll add C, guys.Just to be fair.No, I can't edit it.Fuck, I can't edit it.I'm sorry, guys.Like, A tier is winning with 53% right now, so I should just close that poll.Close that poll.Which secure is here, right?Or secure works, right?That's the same Nsanti.Stop the vote!I saw the 3037, Erika.That was fun.New donation.Donated with what now?5 bucks.Okay, so LordGucciFire is currently leading with 15 bucks.And we'll get the t-shirt.Erika was in the lead before that.By the way, this money is going to get my ass to Defqon Black Hat, so it's... I'm not gonna... Technically, I'm gonna drink it up.I'm not gonna drink it up initially.I'm gonna buy a plane and a hotel and then I'm gonna drink it up.Okay, I'm closing the poll.Closing the poll.You... Closing poll.Meaning that MDE ended on an A And I... If I were to pick Probably put it at B Exorcist 1 tipped $13.36 Appreciate it Sadly though, you're like $2 behind Lord Guccifier Who has totally tipped $15 So Guccifier is still leading Oh wait, it's full stackVoting S are probably combo strike users.Probably correct, Dominic.Full stack, full stack, right?Full stack, sorry, sorry.A tier full stack.I forgot that I said full stack.So that's it.We're disqualifying Carbon Black.We're disqualifying Malwarebytes.With Secure, we have pushed out, just this is an old logo.The one on the left is an old logo.This is cranked.So if we look at this now, what would we change?Like, whole impression.Should there be a tier between S and A++ on A?Should there be an A++ tier that we should put Microsoft Defender for Endpoint in?Full stack, again, not just the Defender for Endpoint solution, but the entire stack.Pictures...wow cube donated 20 bucks i appreciate it so much my swedish swedish boy i appreciate it that's way better for me in terms of shipping it which is great so currently cube is leading with 20 bucks for the t-shirt cozy says i would personally say b due to the fact that it can either be really good or really bad depends on how it's set up i'm screenshotting this from alfred but not even getting rankedyes so techno bro the the carbon black application control can be challenging i've had to deal with that uh a few times and that application control will actually even catch uh dl side loading from a legitimate application from a whitelisted application which is cool dom don't come in here and be all logical about crowdstrike edp etc don't be like thisgot we got to make sure we piss some people off right we got to make sure somebody will retweet and be like you idiot they should be this is wrong whatever so but i appreciate the concern though yes casper sky so uh bull done sex says that casper sky should go down and then kaspersky sorry and then cross track md should be a plus plusKaspersky Kaspersky this guyThat's probably right.Jason Lang, my previous boss at TrustedSec, ran Arch and it was so funny every time his Zoom call crashed.And we asked if he got Linuxed and he did get Linuxed a lot.That was funny.Let's vote on which one is the best among the A tier.A tier, MDE, CS, Cortex, Elastic.I do think there is a case to be made about having an A++ tier.So I'm going to do it.Like last time, aim at A++, A++, oh god.Wait, I got a fucking US keyboard I haven't fixed it yet from last time.Oh wait, this is A. There we go.So who deserves the A++ then?Out of interest Lord Gucci fire were in the world.Are you located?Oh The poll my bad guys are they close the ball completing poll So about that Paul's gone.Thanks for the input in my experience.The crowd strike EDP is much better than MDI EDP is that gonna be like identity protection something?yeah falcon identity protection identity protection services usa cool no worries lauren streamlabs thanks for being specific 52.380950 democracy right democracyStreamlabs is very... Cubex has tipped another 15 bucks saying, bid war kappa.I like this.You guys go.So Cube is currently leading with $35 in the lead.I might actually go to Vegas.This is great.I appreciate it, guys.Again, this is not mandatory or anything, right?You know that.I appreciate it, though.Bid war kappa.LordGucciFi put in another 10 bucks, so LordGucciFi is at... I gotta do quick math right now.10, 20, 30, 35, and then Cube is at 15... 35?They're both at 35?You guys want to split the t-shirt then?Wait, am I drunk?I'll figure this out guys, there should be like top donor or something something Give me a sec How the fuck can I see that?Fuck!Okay, doesn't matter Somebody's leading and I think it's an even right nowThank you so much for the follow.Potatoes are people too.Again, third time I say it now.It's a brilliant fucking name.Streamlabs is very broken.Okay, so I vote for Elastic on A++ because they aren't bitches.Fucking content right here, boys.I think Elastic is pretty good.However, it lacks a lot of static detections, in my opinion.Elastic is super good at detecting anomalous stuff in memory.I think the best thing about Elastic is that, correct me if I'm wrong, at least their rule sets are open source, right?New donation, Laughing... Oh, wow.Laughing Mantis donated $50, snagging the lead on the Evil Jinx t-shirt.Thank you so much, Laughing Mantis.I appreciate that.that's like it's like half a burger in vegas i think maybe maybe maybe three quarters of a hamburger in days i appreciate it though thank you so much uh okay so i i sort of agree i think butOkay, they're having a we're having discussions right now consider it the free drink in Vegas.I appreciate it.Thank you so much Lord Gucci fire with another 20 bucks putting him at 55 15 35 45 no way you're at yeah, you're at 60 bucks Lord Gucci fire now at 60 bucks Bringing up my calculator for this because I don't wanna don't wanna lie.OhYeah, he's at 55.55.Mox Researcher says, Mox.Fen for Endpoint, CS and Elastic are all A++.I'm... So, BulldanSec has a really good point.CrowdStrike and MDE due to their full stacks, which is probably, honestly...these are all my savings i hope i get the t-shirt dude now i feel bad shouldn't have done that is it a scooter t-shirt no it's uh it's an evil jinx shirt i'll again i'll explain this last time i explained this now just because i don't want to be all hair selling but uh we're having an auction for this t-shirt can you see it can you see it yes it'son the back it says how much is the fish which is probably a scooter reference yes freaking sick xl size and i think it's uh it's all in polish so i actually don't know if it's like unisex i'm guessing it's unisex excel i'm sorry i need that shirtmde full stack is better than crowd strike full stack crowd strike xdr ui is awful too are we really saying that marks of defender for endpoint full stack is that powerful i am literally flying from america to see scooter next week wow you're flying to germany then where you're flying out toAmsterdam, cool.I'm going to Amsterdam in May as well on vacation.Okay, so this is the final draft, guys.We gotta end the stream soon.Final draft.What do we think?S tier, obviously no debate.The only debate really I see is between the contestants of A and A++.I feel we're sort of underrating Cortex XDR because it's full stack with the Palalto firewall, also has crazy network telemetry.So, B...So just to be clear, the B isn't really organized in an order that makes sense.Like Sentinel-1 isn't better than Kaspersky or anything like that.Okay, we're getting input here.Cube saying move down Kaspersky.Crowdstrike back to A++ and rearrange B. Put Sophos in D-.Wow, this is hard.Cortex A++ Cortex should be A++ CS and Cortex A++ This is hard Defender, Krazarek and Cortex A++ keep Elastic in A A++ Cortex and CSBy 14x6 feet deeper.Burry 14x6 feet deeper.MN needs to drop down.Full stack though.If I had to pick two, then MDE and Elastic would be A++.So you're...It's Fortinet in the 9.8 little CVE tier.Oh god, this is great.Should we really make another tier called like CVEs?Or like an O-Day?O-Day?Liability?Should we make a tier called liability and put 40 net in it?We should, we should 100% make a tier called liability and put 40 net in it.Oh wow, I hope you guys agree that that is hella funny because I think that is hella funny.Yeah, the top bid is 55 cube, yep.okay we're doing it oh wowErika, you can keep suggesting tier streams, man.I'm taking a break from tier streams.Wow, poor Fortinet.Screenshotted and sent to the local Fortinet guys.Wow.I think I'm gonna make... Why is Arch the S tier?Because DarkCypher, we sort of decided that no EDR is S tier.So the best thing you can do is just run Arch Linux, right?Fortinet has entered the chat.then tier list the tier list streams hey uh dominic actually do that send me a nighthawk kitty i'll happily auction it hit me up i'll give you my deets that'll be sickrun Hannah Montana always and you can't get hurt because no impact runs on it due to dependencies.Okay, in my humble opinion, I still think Marks of Defend for Endpoint is rated a bit high, even with the full stack.So I am going to make an executive decision.I'm going to put MDE on A. And I do think Cortex XDR with its full stack and CrowdStrike with its full stack is going to be an A++.Now I'm open.Last discussion here.Any input.Is that wrong?Just tell me.Type wrong in the chat if that is dumb.If you want me to move MDE full stack back up to A++ and you agree that the A++ stack should be CrowdStrike, Cortex and MDE, let me know.BuldanSex says, A++ is now good.They have good capabilities.Just Kaspersky and Sufos won down in my opinion.100% agree.100% agree.It's all good, man.Thanks for the stream.Appreciate it, TechnoBro.New follower.Sonboos03.If you think about extendability, Paolo and CS definitely have it above Microsoft.Agreed, MDE feels like it's too permissiveKaspersky and Sophos.So the BulldanSec earlier on the stream, we had the guy who develops the Macropack Pro private toolset and public toolset.And he said that Kaspersky is one of the hardest EDRs to bypass from a Technonauts perspective.And that CrowdStrike was a cakewalk compared to Kaspersky, which is why we put Kaspersky so high up on the B1, even though, you know, if you live in the US, you aren't allowed to install it.You're sanctioned to use Kaspersky, which is kind of funny.I'm just curious, what's with the reasoning for Sentinel-1 being a B tier?Appreciate it, Erica.I'm tempted to say go watch the video on YouTube, but I also initially felt that Sentinel-1 was an A tier, but then chat told me it was a B tier.I think we voted on it.So, chat's never wrong.I've had too many issues with CrowdStrike implementation on Windows.When Windows gets updated, it's a hassle to deal with to support on both ends.That's good input for anybody considering CrowdStrike.Not going to take it to the consideration just because, you know, we're sort of coming on from an offset perspective, right?10 toes deeper yeah so all of these modern EDR solutions especially from like B tier and up is going to rely on ETW for telemetry and it's going to be one of those sources that you want to patch out but there's a whole lot of other telemetry being gathered right sensors out there so I don't think Sentinel-1 is 100% like they probably have kernel callbacks and they probably have some other use land hooks in the custom delay a little bit in the process besides ETWNot sure if Sentinel once has their own MC provider or if they just use the Windows one or both.Kernel LAN that I know of in this list is Cortex and Whittaker.I think, correct me if I'm wrong, Chad, but I think like B tier and up all have Kernel LAN implementations.I think that's very common for modern EDR solutions to now have.Yeah, no, they have 100%.There's some driver involved.They usually have their own AMSI provider and custom driver except K and Defender Well, if Sentinel-1 doesn't have anything in kernel space or in driver land, then it definitely deserves that Bthis is so freaking fun guys seeing all of you guys discuss this and having come back sar has tipped thank you five bucks and said thank you for entertaining my boyfriend i appreciate that whoever is who's the boyfriend in chat who's the boyfriend come forthDom, do you have any input on the A++ tire you're getting called out here?Tear!Tire!Fuck!Tear!Wowoh yeah 100% EDRs have definitely come a long way and I can only imagine what will happen the next years now that the AI boom is like promptly taking overThere's a lot of stuff that you would get away with with Microsoft Defender for Endpoint that you can't get away with anymore.An attacker might think it's smart to mimic other applications or steal metadata, replace the icon, whatever, pretend to be other legitimate applications.Microsoft Defender for Endpoint will catch that and will adjust its risk score level or whatever internal mechanic it uses to nuke stuff and just nuke you.Stuff that you would think would help, like from a social engineering perspective, or blend in from like a human operator watching over stuff, won't roll past the AI implementation of stuff.Changing original name in Coolest Hacker, changing in fail.I'm pretty happy with this list right now The only debate would be MDE full stack in A++ I think the other stuff is fairI'm also a little biased in having CrowdStrike in the A++1 because I have so much... Like the red team in the last three years have been almost exclusively against CrowdStrike and therefore we have developed TTPs that can dance around CrowdStrike.Not dance, that was bad wording, but like can get around CrowdStrike the way we want.It goes without saying that you can't do obvious dumb stuff against any of the B plus T EDRs, like dumping LSAS or making, you know...Obviously there might be some weird technique to dump LSAS against some of these.What I'm saying is that you can't get to... What's the word I'm looking for?You have to operate at a specific level to stay on them, even though we deploy on them.Cube says, all solutions uses telemetry from the kernel and userland.The A and A++ tire just relies less on userland as it can be bypassed completely from userland while in kernel, the best you can do is blend in most of the time and coming from userland.Thank you.That's the wording I'm looking for.Complacent.Okay guys, fucking sick.I think that's it.The fun thing about this, obviously I'm going to screenshot this.I'm going to put it on to Twitter.But the fun thing is that this is a public template that now you can fuck with if you want to.So if you guys want to go in here and create your own, you can.okay you can you can create your own and do whatever have fun with it um let's move over to intermission and i appreciate all of you showing up we had a blast with he he actually got some donations i honestly never expect that um so the current lead i think is lord gucci fireat 55 55 verinos if we do final count then there's still time but i'm counting up 10 10 20 yeah little gucci fire has 55 5 over laughing mantis and 5 over cube so you know couple more minutes but congratulations looks like you're in the run for that t-shirtoh wow the fun starts when you land on an endpoint with three to four EDR solutions installed in my experience that just means that it's absolutely trash and you could do whatever because those EDR solutions are going to fight it out between themso i won't be streaming next sunday i'll be streaming the next sunday after that next sunday i'm going out on vacation uh like easter holiday whatever going to denmark i'm gonna i'm gonna watch uh the counter strikes two major in copenhagen which is sick looking forward to that and then uh yeah next stream i don't know what i'll do next stream umBut we'll figure it out.Hopefully, I can go back to doing some more technical stuff like actually developing or maybe playing around with TTPs, whatever, not just ranting essentially for two hours and 15 minutes.I do appreciate everybody who tuned in.It seems like we extended the viewer base and people in chat by also streaming to Twitter at the same time, which is great.Dom, I'm 100% going to follow up on getting some Nighthawk swag just so I can give it away.which would be sick and yeah the the wad if you if you caught this late the valve is going to be in youtube it's being uploaded or it's streaming to youtube at the same time so it's being stored there uh if you're considering just some fun stuff if you're if you're considering buying any of the amazing zero point security uh courses uh then consider using my affiliate code there's actually a command for this in chatIs it Rasta?Zero point?Rasta?Oh, wait.I think it's zero point.If I can just type.Wait, there's a... Okay, first guy who can brute force the freaking command for it.I'll find it now.Commands.It's...offsec lol why is it offsec should be zero point i'll make one there we go if you want to use my fillet code when i get a kickback from that if you use that code when you purchase any of the courses and obviously thank you so much to the people who have donated auctioning that t-shirt obviously the t-shirt is not worth any of that amount at all uh i will ship it to you for free of course and then the money goes to trying to get my ass to vegas this year so i think the winner isLord Gucci fire.Congratulations.I'll hit you up.Are you, I think you're in my discord, right?I think, I think, I think I'm confident you are.if not hit me up on twitter or on discord and give me your details i'll ship it to you thank you so much for giving me your hard-earned dollars and i hope you like the t-shirt and hopefully by next sunday i'll have some light talk swag to give out that would be cool and yeah i appreciate it so much guys again big fat disclaimer this is for fun likeit's fun to come together as a if you want to call the community it's fun to come together and and discuss this and have like share experiences with it uh that you don't normally get to do and it's it's more fun to air these kind of things when we're all together in chat than starting you know starting from scratch and in the cold on twitter and hoping not to get burned on twitter from saying something rightobviously subscribe and follow and like everything youtube channel final final like plead if somebody's still out there if somebody goes to bed when you when you go to bed tonight consider just going into my playlist and playing the youtube video and then just leaving it playing all night i need like 600 more play hours to try to like enable monetization or whatever or on the youtube video so i would appreciate trying to reach out our account but if not no worries at all just just a sellout at this point rightI appreciate it so very much.Have a great rest of your Sunday, whatever's left.If you're from the States, you probably have a big fat Sunday left.If you're in the Europe, then just a few more hours.And then Monday is all around.And yeah, enjoy Monday when it comes.It was super fun, guys.I really appreciate it.When going to bed, check for flangvik under it.Oh, I'm so... Yeah, no, I'll stay in my own bed.That was fun.Okay.That's it guys.Appreciate it.See you all next, next Sunday.Have a good one.

参考资料:

https://twitter.com/Flangvik/status/1771983068837929301

https://www.youtube.com/live/2H-Wlxq1kpo


往期精选

围观

威胁猎杀实战(六):横向移动攻击检测

热文

全球“三大”入侵分析模型

热文

实战化ATT&CK:威胁情报


文章来源: https://mp.weixin.qq.com/s?__biz=MzU0MzgyMzM2Nw==&mid=2247485477&idx=1&sn=ed350590ffc1bc3afd9486020cba989f&chksm=fb04cb4dcc73425b256b4f0977be35173c0ca2ca9826108ac30d646695eb9178c40dcf69c506&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh