1 more time

MHaggis · Nov 26, 2023 · f4462f6 · f4462f6
1 parent 59c4b8d
commit f4462f6
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/.github/workflows/gen-release.yml b/.github/workflows/gen-release.yml
@@ -42,7 +42,7 @@ jobs:
         Write-Output "File Path: $filePath"
         $fileContent = Get-Content $filePath
         Write-Output "File Content: $fileContent"
-        $updatedContent = $fileContent -replace 'The generated binary may be found here:.*', ""The generated binary may be found here: $releaseUrl,""
+        $updatedContent = $fileContent -replace 'The generated binary may be found here:.*', ("The generated binary may be found here: " + $releaseUrl + ",")
         Write-Output "Updated Content: $updatedContent"
         Set-Content -Path $filePath -Value $updatedContent
         Write-Output "File content updated successfully."

diff --git a/pages/2_ASR Atomic Testing.py b/pages/2_ASR Atomic Testing.py
@@ -319,7 +319,7 @@
         "scripts": []
     },
     "Block credential stealing from the Windows local security authority subsystem (lsass.exe)": {
-        "description": "This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS). LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that are not needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which subsequently succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see: Process Security and Access Rights.\n\nNote: In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.\n\nIntune name: Flag credential stealing from the Windows local security authority subsystem.\n\nConfiguration Manager name: Block credential stealing from the Windows local security authority subsystem. \n\nGUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2. \n\nAdvanced hunting action type: \n\nAsrLsassCredentialTheftAudited, AsrLsassCredentialTheftBlocked.\n\nDependencies: Microsoft Defender Antivirus.\n\nreference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction\n\n The generated binary may be found here: $releaseUrl,"
+        "description": "This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS). LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that are not needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which subsequently succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see: Process Security and Access Rights.\n\nNote: In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is no need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.\n\nIntune name: Flag credential stealing from the Windows local security authority subsystem.\n\nConfiguration Manager name: Block credential stealing from the Windows local security authority subsystem. \n\nGUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2. \n\nAdvanced hunting action type: \n\nAsrLsassCredentialTheftAudited, AsrLsassCredentialTheftBlocked.\n\nDependencies: Microsoft Defender Antivirus.\n\nreference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction\n\n The generated binary may be found here:,"
         "scripts": [
             {
                 "script": """