Skip to content

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Dec 8, 2024

This PR fixes/enhances some old analytics as well as a couple of new one.

New Analytics

Windows CertUtil Download With URL Argument

Screenshot 2024-12-08 011720

Windows Impair Defenses Disable Auto Logger Session

image

Windows Registry Dotnet ETW Disabled Via ENV Variable

Screenshot 2024-12-08 183020

Updated Analytics

Disabling Remote User Account Control

Removes the HKLM\\SOFTWARE prefix to make it more generic for other variations such HKEY_LOCAL_MACHINE

Enable RDP In Other Port Number

Removes the HKLM\\SOFTWARE prefix to make it more generic for other variations such HKEY_LOCAL_MACHINE

LOLBAS With Network Traffic

Adds pwsh.exe since powershell.exe and powershell_ise.exe are already in there, as well as fixes some typos.

Registry Keys Used For Persistence

Removes the HKLM prefix from `HKLM\SOFTWARE\Microsoft\Netsh\*

Windows Registry BootExecute Modification

Removes the HKLM prefix from HKLM\\System\\CurrentControlSet\\Control\\Session

Windows SQL Spawning CertUtil

See #3224 (comment) for details.
TL;DR is that it enhances coverage by adding other arguments and focusing only on the required ones.


The rest is some generic typo fix for the word official

@nasbench nasbench marked this pull request as ready for review December 9, 2024 22:27
@patel-bhavin
Copy link
Contributor

Looking good @nasbench!! Approved :catjam:

@patel-bhavin patel-bhavin merged commit ab2ea08 into develop Dec 16, 2024
6 checks passed
@patel-bhavin patel-bhavin deleted the enhancements-batch2 branch December 16, 2024 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants