blueteamsec

628 readers

31 users here now

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

founded 2 years ago

MODERATORS

digicat

Registry Writes Without Registry Callbacks (deceptiq.com)

submitted 1 month ago by digicat to c/blueteamsec

1 comments fedilink hide all child comments

top 1 comments

sorted by: hot top controversial new old

[–] BCOVertigo@lemmy.world 2 points 1 month ago

Well that's gross. Copy the text export of the registry, build a man file and place it appropriately, watch the system inhale fully with no logging and use your man file as registry hive next login, all without privilege.

Maybe a login script to check for specific important registry values and have it create a custom windows event log? This sucks for detection I feel like jank might be the only option.

permalink
fedilink
source