🙃sɐʇ Profile picture
threat hunting, DFIR and detection engineering. opinions are mine. food, music and astrophotography when he is afk. #ThreatHunting #DFIR #BlueTeam
23 Nov
Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.

Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
Read 14 tweets