wtfbins icon indicating copy to clipboard operation
wtfbins copied to clipboard
verified publisher icon mttaggart

[New WTFBin]: SecurityHealthService.exe

Open 59e5aaf4 opened this issue 2 years ago • 0 comments

  • Contributor Name: 59e5aaf4
  • Application/Executable: SecurityHealthService.exe
  • WTF Behavior Description: Sets HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 0 (= insecure = might raise EDR alerts ahem ahem) just before setting it (back?) to 2 for no valid reason.
  • Link to Documentation of Behavior: No real doc, just the official doc on that service: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection & https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center
  • Please provide any images for additional evidence.

image

>>> struct.unpack('>I',base64.b64decode('AAAAAg=='))[0]
2
>>> struct.unpack('>I',base64.b64decode('AAAAAA=='))[0]
0

59e5aaf4 avatar Apr 21 '23 09:04 59e5aaf4