SEC_Check additions

[ceramicskate0]

Based on research from mattifestation additional sec-checks need to be added to ensure data integrity. Article at ://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

IOC:

• (MISSING or in Log) logman
• (Missing or in Log) wpr.exe
• (MISSING or in Log) REG:HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\
• (PS LOG) Remove-EtwTraceProvider
• (MISSING or in Log) WMI:ROOT/Microsoft/Windows/EventTracingManagement:MSFT_EtwTraceProvider

TTP:

• ETW provider removal from a trace session
• Autologger provider removal
• Provider “Enable” property modification

Log detection's already added to searchs example file.

[ceramicskate0]

status of research validation is currently unverified. Requires verification of all before addition can be made

[ceramicskate0]

(MISSING or in Log) logman = to search.txt file on example folder (Missing or in Log) wpr.exe= to search.txt file on example folder (MISSING or in Log) REG:HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\= added to reg check SEC_CHECK method. (PS LOG) Remove-EtwTraceProvider= to search.txt file on example folder (MISSING or in Log) WMI:ROOT/Microsoft/Windows/EventTracingManagement:MSFT_EtwTraceProvider= to search.txt file on example folder

[ceramicskate0]

hard coded will be in 0.5.* release