-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is this still working ? #1
Comments
Hi @pussinboots1992 thanks for checking it out :), if the process is running on your endpoint its most likely all setup correctly, but lets take it step by step. |
It works, sorry I should have read the code before trying it :-)
When you say there is no use-case for memory operations within the same process, you mean that no local memory allocations will create an event, or you mean that your solution doesn't use events for local memory allocations ? It would be cool to simply log all the events to the event viewer a bit like Sysmon, so that the events can be shipped to a SIEM such as Splunk or ELK to create custom use-cases ! Thanks again for this awesome project ! |
No worries, happy to help. Local memory allocations create TiEtw events but these are filtered by default, so if you'd like to collect these you need to setup Any/All keyword bitmasks. But I think if your use case is to simply log TiEtw and forward it to a SIEM you might want to check out Sealighter or SilkETW. Unfortunately, if you are not a security vendor with a proper signing certificate it won't be very useful in a prod environment as all your endpoints would have to be running in the testsigning mode. |
One more question, how did you debug the service to test the detection logic ? I guess you cannot attach a debugger to it since it is PPL. The only option is the perform Kernel debugging ? |
@pussinboots1992 you can use dbgview. if you need additional debug output at any point in execution you can add calls to the log_debug() helper function, or output a debug string directly. I did not use any other techniques due to PPL so I'm not sure what works tbh |
The service is running and in process explorer I can see it is marked as PsProtectedSignerAntimalware-Light but nothing is in C:\Windows\Temp\TiEtwAgent.txt, the file doesn't even exist.
Is everything logged, I triggered a Meterpreter payload on the machine hoping that would force event generations and have the logfile created. It didn't work. Any debug logs ? dbgview or other ?
Here is the output I am getting:
It appears I can not remove it anymore. Does a process need to be PPL to uninstall it ?
Awesome project though ! Thanks so much for sharing !!
The text was updated successfully, but these errors were encountered: