Closed ceramicskate0 closed 5 years ago
status of research validation is currently unverified. Requires verification of all before addition can be made
(MISSING or in Log) logman = to search.txt file on example folder (Missing or in Log) wpr.exe= to search.txt file on example folder (MISSING or in Log) REG:HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\= added to reg check SEC_CHECK method. (PS LOG) Remove-EtwTraceProvider= to search.txt file on example folder (MISSING or in Log) WMI:ROOT/Microsoft/Windows/EventTracingManagement:MSFT_EtwTraceProvider= to search.txt file on example folder
hard coded will be in 0.5.* release
Based on research from mattifestation additional sec-checks need to be added to ensure data integrity. Article at://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
IOC:
TTP:
Log detection's already added to searchs example file.