Public repo for anything CVE-2022-21894
$ mountvol /s
$ dir E:\EFI\Microsoft\Boot*efi
$ Get-FileHash -Algorithm MD5 -Path (Get-ChildItem "E:\EFI\Microsoft\Boot*.*" -Recurse)
Check historical presence of deleted files in a custom directory such as ESP:\system32
The directory is not deleted after BalckLotus installation.
$ reg query HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
$ Get-EventLog -LogName System -InstanceId 3006
$ Get-EventLog -LogName System -InstanceId 7023
$ netstat -ano | findstr ":80"
$ tasklist /V | findstr "winlogon.exe"