mthcht
mthcht
> Thank you very much for submitting this proposal @mthcht! Could you please include the below information so we can validate before merging? > > 1. Does Trellix EDR align...
@tsale here is a raw log extract for each EventType i have: ``` Account Changed {"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4",...
@tsale here is an extract for each EventTypen: Account Changed {"eventType": "Account Changed", "maGuid": "HIDDEN", "host": "HIDDEN", "rv": 1408, "parentTraceId": "01eb704f-3b7d-4965-83ec-5c9d725fd0d6", "traceId": "27bbdca8-e76c-4287-8d93-31f9ad0412be", "contextTraceId": "da67763a-854d-412c-a66f-edcca0eeb3d4", "pid": 1076, "it": 1, "time":...
@inodee i was thinking of this category `Via Windows Eventlogs` as a log we can add with the EDR capabilities... for example Crowdstrike has the ability to add any eventlog...
> @mthcht, I reviewed the submission and I have some questions regarding some of the sub-categories. See below: > > 1. I cannot see evidence for the UDP Connection, URL,...
> Thanks for the info @mthcht! For the EDR SysOps, logged locally is acceptable as well. You could edit the commit to include what you see in regards to it...
> a few things i would like to add/correct around the trellix EDR solution, the correct link to the user/product guide is located here https://docs.trellix.com/en/bundle/mvision-endpoint-detection-and-response-landing/page/GUID-571E9972-9D54-49D3-BAC8-6197FFFB02C9.html. With regards to agent monitoring,...
I think it would be valuable to know which EDR can provide telemetry for eBPF events or syscall activity.
- [x] modification of [Simulation/Windows/System/search_for credentials_in_registry.ps1](https://github.com/mthcht/Purpleteam/blob/aea31dd35975699c04df8f7a52f301ac3b07c5ee/Simulation/Windows/System/search_for%20credentials_in_registry.ps1) - [x] modification of [https://github.com/mthcht/Purpleteam/blob/948f023cd7e0145dac8ad00f10967f8088516711/Logging/enable_windows_eventid_logging.ps1](https://github.com/mthcht/Purpleteam/blob/948f023cd7e0145dac8ad00f10967f8088516711/Logging/enable_windows_eventid_logging.ps1) - [ ] Add scripts for each techniques in windows and linux - [ ] create procedures folder -...
- [ ] recompile createdump.exe from https://github.com/dotnet/dotnet/blob/main/src/runtime/src/coreclr/debug/createdump/, change the part https://github.com/dotnet/dotnet/blob/main/src/runtime/src/coreclr/debug/createdump/main.cpp#L185 so we can still use pid option with dotnet 7, add the new executable to [_bin ](https://github.com/mthcht/Purpleteam/tree/main/Simulation/Windows/_bin) directory and...