Closed frack113 closed 7 months ago
inodee
commented
7 months ago Interesting comment! I remember we had that in the initial draft and I'm not sure why it got removed.
I think it should be there and it's one of the MUST haves.
Perhaps because you have considered it an 'alert' component, any other input @tsale?
tsale
commented
7 months ago Thanks @frack113, we used to have this information. However, the decision to remove it was due to the fact that this project is based on telemetry generated on the host, rather than detections triggered by specific actions.
We do not track detection-based events. We are looking for the raw telemetry that each product is able to produce and make it accessible to the end user. We don't take into consideration black-box detections. Hope that makes sense.
frack113
commented
7 months ago Thank you, It makes sense to set limits.
I love this project but for me it lacks the telemetry protection information. In sigmaHQ you can find many rule "evenlog clear", "etw Disable /Tamper " ....
Long time ago I add phant0m to atomic-red-team to test this.
Could there be one or more checkboxes for telemetry manipulation detection ? Thanks