Follow

Evading WinDefender ATP credential-theft: a hit after a hit-and-miss start.
tl;dr PssCaptureSnapshot syscall clones the process then you don't need to do ReadProcessMemory against the original process and avoid LSASS read detection.
matteomalvica.com/blog/2019/12

· tweetoot · 0 · 0 · 1
Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!