2025-08-06 –, Florentine F
This talk unveils previously undisclosed vulnerabilities in Microsoft Defender and Zscaler, currently under review by Microsoft and US-CERT. It explores how adversaries can bypass EDR protections without malware or exploits—leveraging native OS tools, misconfigurations, and weak self-protection mechanisms. Through real-world examples and live demos, the session will challenge assumptions about EDR resilience and reveal how simple, repeatable techniques can disable or remove endpoint security controls.
At BSidesLV, we will unveil previously undisclosed vulnerabilities affecting Microsoft Defender and Zscaler—flaws currently being triaged by Microsoft and coordinated with US-CERT. These vulnerabilities expose critical weaknesses in how endpoint and network security solutions enforce protection and prevent tampering.
But beyond new vulnerabilities, this talk will demonstrate how EDR solutions can be bypassed using built-in OS functionality, overlooked misconfigurations, and flawed integrity protections—no exploits, no malware, just simple, repeatable techniques that adversaries are already using.
Organizations often assume that EDR is resilient—that once deployed, it provides a reliable defense against attackers. But what happens when an adversary removes, disables, or renders it ineffective using nothing more than tools already available on the system?
We will walk through real-world examples of how:
Scripts found in the wild silently bypass endpoint security uninstallation logic.
EDR solutions fail to enforce self-protection, allowing simple tampering techniques.
Native Windows tools like wmic, sc, and PowerShell can be abused to disable or remove security software.
Newly discovered vulnerabilities in Defender and Zscaler can be exploited to weaken security controls.
This talk will include exclusive first-time disclosures of new security weaknesses alongside live demonstrations of real-world security bypasses that work today.
Caleb is a seasoned cybersecurity professional, boasting over 9 years of experience in threat emulation. He specializes in various areas, including red teaming, purple teaming, penetration testing, and physical security assessments. Previously a consultant at Optiv where he obtained the OSCP, and currently serving as an Offensive Security Engineer at PayPal, Caleb orchestrates and executes red team engagements by focusing on enhancing security effectiveness through purple team engagements within both cloud and internal networks. Caleb demonstrates his ability to identify vulnerabilities and mitigate risks through active participation in bug bounty programs on platforms like HackerOne and PayPal, contributing as both a researcher and in supportive roles. Additionally, he has refined his skills through endpoint detection and response testing, further enhancing his expertise in cybersecurity. Caleb has presented the following talks:
• Blackhat USA 2024: Into the Inbox: Novel Email Spoofing Attak Patterns
• Optiv Team Summit 2018 - OSINT from the Ground Up
• Optiv Team Summit 2019 - Bypassing Windows Defender
• Optiv Team Summit 2020 - Data Security for Consulting
• PayPal ECS Conference 2021 - Anatomy of a Red Team Engagement
Blake is a seasoned cybersecurity professional, boasting over 6 years of experience in threat emulation. He specializes in various areas, including red teaming, purple teaming, penetration testing, and cloud security. Previously a Red Teamer through the Department of Education where he obtained several SANS certifications and is currently serving as an Offensive Security Engineer at PayPal. Blake orchestrates and executes engagements by focusing on enhancing security effectiveness through purple team engagements within both cloud and internal networks. Blake demonstrates his ability to identify common vulnerability patterns through continual participation in CTFs and has a passion for continuing education. Additionally, he has refined his skills through constant security research, further enhancing his expertise in cybersecurity.