Closed j91321 closed 7 months ago
Hello @j91321 , thank you for the PR. A couple of notes regarding the file modification: this is related to detection rules and is not provided as part of the raw telemetry; therefore, it is not applicable to this project.
For the Service Creation, we are looking for telemetry that generates the relevant events. Is there an event that can provide us with the appropriate telemetry regarding Service Creation?
Hey, @tsale sorry for not making it clear, yes those docs are related to detections however the "operations" section shows you the types of Raw Event and those are telemetry. I mean the documentation sucks, so it's easy to get confused. Hopefully this screenshot will make it clear when executing following:
whoami.exe > test.txt
whoami.exe >> test.txt
The first one creates the file, event is FileTruncated(on open) while the second appends (modification) is the FileWrite event.
As for services here is the result of AtomicRedTeam T1543.003 Test 2
Thanks for the detailed information, @j91321! Indeed, their documentation is not the best. I can see the file write events and I can change that as suggested.
For the services though, as they don't have a dedicated telemetry for the services, I will leave that out for now. I understand that you're saying this could be viewed through the registry set but this is not telemetry dedicated to service creation. We are looking for dedicated telemetry with the added context.
Thanks! Sure no problem, I was just wondering regarding that service creation, what is provided by Carbon Black to have "Partial" in this specific telemetry category? I was making the change based on this comment in the google sheet
But didn't find any further details in PRs or the linked Carbon Black documentation. Asking just for consistency sake. I agree that service creation through registry is probably not good enough to be considered telemetry.
@j91321 - I'm looking into it. Thanks
There is a specific searchable field in CB.
ESET Inspect inaccuracies
Description
Please provide the below information so we can validate before merging:
1: (response) YES 2: (response) YES 3: (response) YES
Type of change
Please delete options that are not relevant.
Changes