Closed vector-sec closed 5 years ago
Thanks for your interest in palantir/windows-event-forwarding, @vector-sec! Before we can accept your pull request, you need to sign our contributor license agreement - just visit https://cla.palantir.com/ and follow the instructions. Once you sign, I'll automatically update this pull request.
Hey @vector-sec, thanks for the contribution! I've got a bit on my plate at the moment, but should be finished with a review of this in a week or so.
Closing due to inactivity.
I added enumeration of BITS jobs, Desktop shortcuts, and Browser extensions to the script, using event ID 2, 3, and 4 respectively for each new class of data.
These modifications were made because SysInternals Autoruns does not presently support enumeration of these persistence mechanisms.
ATT&CK References https://attack.mitre.org/wiki/Technique/T1197 https://attack.mitre.org/wiki/Technique/T1176 https://attack.mitre.org/wiki/Technique/T1023