Right now, we won't detect rover.dll being added to system32, but added directory change notifications for system32 seems like a bit of a slippery slope into running a lot more hunts than we need. I propose fixing this be backlogged until we get proper event tracing set up.
Right now, we won't detect rover.dll being added to system32, but added directory change notifications for system32 seems like a bit of a slippery slope into running a lot more hunts than we need. I propose fixing this be backlogged until we get proper event tracing set up.