Nasreddine Bencherchali
8cbcaea48a
fix: New TimeProviders Registered With Uncommon DLL Name - Add new legitimate entry to avoid FPs new: Service Binary in User Controlled Folder remove: Adwind RAT / JRAT - Registry remove: Service Binary in Uncommon Folder update: Add Port Monitor Persistence in Registry - Update logic to avoid hardcoded HKLM values update: Change Winevt Channel Access Permission Via Registry - Update logic to avoid hardcoded HKLM values update: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Add more entries to increase coverage and update metadata information update: Default RDP Port Changed to Non Standard Port - Update logic to avoid hardcoded HKLM values update: Disable Administrative Share Creation at Startup - Update logic to avoid hardcoded HKLM values update: Disable Microsoft Defender Firewall via Registry - Update logic to avoid hardcoded HKLM values update: Disable Windows Event Logging Via Registry - Update logic to avoid hardcoded HKLM values update: Displaying Hidden Files Feature Disabled - Update logic to avoid hardcoded HKLM values update: FlowCloud Registry Marker - Update logic to avoid hardcoded HKLM values update: New PortProxy Registry Entry Added - Update logic to avoid hardcoded HKLM values update: Potential CobaltStrike Service Installations - Registry - Update logic to avoid hardcoded HKLM values update: Register New IFiltre For Persistence - Update logic to avoid hardcoded HKLM values update: Registry Persistence via Service in Safe Mode - Update logic to avoid hardcoded HKLM values update: Run Once Task Configuration in Registry - Update logic to avoid hardcoded HKLM values update: Security Support Provider (SSP) Added to LSA Configuration - Update logic to avoid hardcoded HKLM values update: ServiceDll Hijack - Update logic to avoid hardcoded HKLM values update: Sysmon Driver Altitude Change - Update logic to avoid hardcoded HKLM values update: Windows Defender Service Disabled - Registry - Update logic to avoid hardcoded HKLM values --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
TBD