Maybe Security Researcher | Windows Internals enthusiast | Red-Team Manager at @RavinAcademy
Mar 23, 2023 • 4 tweets • 3 min read
#redteam tip: @Fortinet self protection bypass
Fortinet is using minifilter to prevent copying or deleting files in the app's installed location.
If you Reverse engineer the responsible driver, You will notice that there are some exceptions
and some processes are able to copy/delete files in that location.
But the problem is that "it is only checking the end of the process image name and not the full path".
Since many fortinet exe files has dll hijack vulnerability and runs as a service, using this vulnerability