NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard

Published 20 hours ago verified publisher icon Pennyw0rth

Module wcc added some defender checks

Open jubeaz opened this issue 1 year ago • 13 comments
trafficstars

Hello,

I've added some checks regarding Defender AV.

I've corrected a bug inside check_registry regarding the value of the op var.

I did not want touch too much to the check_registry, but I think it can be merged with the function that I've created check_single_registry_with_policy .

in order to allow the base tuple of check_registry to include the policies registry or None.

regards,

jubeaz avatar May 15 '24 01:05 jubeaz

Any screenshot possible @jubeaz ? :)

mpgn avatar May 15 '24 07:05 mpgn

sure this is what you get visually (the screenshot is restricted to my checks)

2024-05-16_03-49

One thing that might be confusing is that when I do perform checks on defender parameters (exclusions, IOAV...) I do not check the state of defender itself. If you look at FENRIS this is a server without defender installed but as there is a GPO that apply some parameter to defender the policy is taken into account when computing parameters.

For registry I do check value set on a computer only if the value is not set by policies.

To mitigate that I have decided to write detailed reasons inside the DB

2024-05-16_04-07

If you prefer I can correct the reason could be KO with reason N/A if defender is not running but it will be slower.

jubeaz avatar May 16 '24 02:05 jubeaz

@jubeaz can you run Ruff against this?

Marshall-Hallenbeck avatar May 16 '24 15:05 Marshall-Hallenbeck

@jubeaz can you run Ruff against this?

Also, why the heck is the pipeline not running sometimes

NeffIsBack avatar May 16 '24 16:05 NeffIsBack

@jubeaz can you run Ruff against this?

Also, why the heck is the pipeline not running sometimes

It runs when an owner commits or we approve, I believe, otherwise we'd overuse our pipeline quota pretty fast.

Marshall-Hallenbeck avatar May 16 '24 16:05 Marshall-Hallenbeck

@jubeaz can you run Ruff against this?

Also, why the heck is the pipeline not running sometimes

It runs when an owner commits or we approve, I believe, otherwise we'd overuse our pipeline quota pretty fast.

Ah you are kinda right, it blocks runs for first time contributors. If code from that contributor has been merged before, it will trigger the pipeline. image

NeffIsBack avatar May 16 '24 16:05 NeffIsBack

ok I've applied the linter.

Sorry I'm kind of new in development process and I did not carefully enough read the CONTRIBUTING.md

hope I'm not giving you too much work

jubeaz avatar May 17 '24 00:05 jubeaz

@jubeaz don't worry about it :D we hadn't updated the PR template until after you filed this.

Marshall-Hallenbeck avatar May 17 '24 00:05 Marshall-Hallenbeck

@jubeaz this looks great except for the final two checks aren't logging the policy and specific reason to the log inside ~/.nxc/logs/$date/wcc_$date.log:

image

Marshall-Hallenbeck avatar May 17 '24 14:05 Marshall-Hallenbeck

Hello,

This is not an error this is because there are no exclusion set either directly or by policies and this is the way I log it (same way in db). In my lab you ca see the difference.

2024-05-20_00-57

would yo have preferred another way to log ?

jubeaz avatar May 19 '24 22:05 jubeaz

@fpreynaud take a look at this man :P

Dfte avatar Jun 06 '24 14:06 Dfte

@jubeaz sorry for the late response. That makes sense to me. If you can fix the conflicts we can get this merged.

Marshall-Hallenbeck avatar Jun 18 '24 15:06 Marshall-Hallenbeck

Hello,

done.

jubeaz avatar Jun 19 '24 06:06 jubeaz

ahh what can happen... lets merge

NeffIsBack avatar Sep 01 '24 19:09 NeffIsBack