LINDENSEC

QoS policies are a legitimate bandwidth management feature. Point New-NetQosPolicy at a security tool and cap it to near zero, and the process keeps running, no tamper alert fires, but it can no longer reach the cloud. This is what EDRChoker does as a compiled tool, and Defender catches that binary now, yay! Now let me explain in my blog why that means absolutely nothing.

Yet another Clickfix incident, however, today we really dive into the juicy bits. A configuration living on the blockchain? Lets dive into this rabbithole together!

A free PDF Editor turning itself into an infostealer overnight. Let's hunt it down with KQL!

ClickFix was bad enough; it became the second most common attack vector right after phishing. ClickFix tricked users with a deceptive webpage (often disguised as a CAPTCHA) that prompted them to copy and paste a string, open the Run dialog with WIN+R, and boom! Hidden in front of what looked like a harmless path was a whole PowerShell payload. This led to a surge in infostealers, cryptominers, and RATs. It was only a matter of time before similar techniques popped up. Inspire

Sometimes the most interesting security discoveries start with the most mundane activities.