For those unable to get their hands on EDR software for reversing, TrendMicro kindly publishes their resources at It's possible to download and extract the on-prem appliance and explore to understand how EDRs (if you can even call it that) work.

What's purple team? Wrong answers only.

Join @olafhartong in his journey down the rabbit hole in search of new detection opportunities in the #Zeek telemetry embedded in Microsoft's EDR #MDE! Detection engineering is sometimes hard … 😎 #detectionengineering #kql #blueteam

🚀 Exciting update for Haunt: it can now execute C# assemblies directly from memory! 🛡️ Enhancing covert operations and expanding capabilities. Huge thanks to my incredible Patreons for making this possible!

There are some interesting detections for U2U/UnPAC the hash in certipy/rubues/mimiktaz/impacket based on TGS ticket options (. Did some tinkering and by removing a few flags you can shake detection while still recovering the NT hash from a TGT