ikiril01
commented
2 years ago @Ptylu these are all merged and published now. Thanks again for the submissions!
Closed Ptylu closed 2 years ago
ikiril01
commented
2 years ago @Ptylu these are all merged and published now. Thanks again for the submissions!
-Finished- Detection of modification of registry key "Common Startup" located in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\". When user logon, files in the Startup Folder are launched. Attacker may modify these forlders with other to evade detection set on these default folders. Detection focus at the same time on the EventID 4688 with the process creation and EventID 4657 for the modification of Registry Key.