Skip to content

Line 239 registry formatting #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 224 commits into
base: master
Choose a base branch
from
Open

Line 239 registry formatting #179

wants to merge 224 commits into from

Conversation

@kevinelwell
Copy link

@kevinelwell kevinelwell commented Mar 29, 2023

Created issue 48

Change line 239 from:
<TargetObject condition="is">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>

to:
<TargetObject condition="is">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Microsoft Print to PDF\PrinterDriverData</TargetObject>

Neo23x0 and others added 30 commits July 24, 2021 08:22
@Neo23x0
squashed pull requests from original repo
88e3a0b 
This was necessary to allow us to 1. merge all open pull request of the original repo AND 2. allow our new repository to receive new pull requests
@Neo23x0
HiveNightmare detection
bdc3fd2
@Neo23x0
docs: give credits to the contributors of the squashed pull requests
ca2ccea
@Neo23x0
docs: better line breaks in credits
fe70b87
@Neo23x0
PrinterNightmare coverage
23af2b4
@Neo23x0
feat: more PrinterNightmare coverage
f893c68
@Neo23x0
docs: info on extended coverage
510e4ed
@Neo23x0
fix: accidental removal of section
ca54b56
@Neo23x0
filter: OneDrive
876166b
@Neo23x0
SeriousSAM CS Pattern
4aa2ad4
@humpalum
First CI workflow draft
fd602c9 
Added a workflow that installs sysmon with the config and fails when sysmon has an error
@humpalum
fix: renamed main to master
7b98675
@humpalum
chore: Added Eventcount Check Job
fdb5396
@humpalum
chore: Added a simulated busy system
97b006c 
Also changed the numbers to allow up to about 5% of more events
@humpalum
chore: Fixed Branchnames
3530138
@humpalum
chore: Limiting Eventcount to Sysmon Events
df4e131
@Neo23x0
docs: add maintainers
94d37c3
@Neo23x0
Merge branch 'master' of https://github.com/Neo23x0/sysmon-config
17836fd
@phantinuss
ProcessAccess using CobaltStrike BOF NtOpenProcess
77d3adb
@phantinuss
lsass process access with relevant access rights
0c24d1d
@phantinuss
fix: use tab instead of space characters for indentation
def0883
@phantinuss
Merge pull request #2 from phantinuss/master
cd90b87 
Process Access Config für lsass.exe and CobaltStrike BOF
@Neo23x0
docs: update README
a253184
@Neo23x0
chore: full fledged sysmon config
5370dcf
@Neo23x0
Merge branch 'master' of https://github.com/Neo23x0/sysmon-config
337be95
@Neo23x0
chore: ignore .vscode
df67cdc
@Neo23x0
new CobaltStrike NamedPipe patterns
2618b37
@Neo23x0
Merge pull request #3 from Neo23x0/config-devel
454b72e 
New CobaltStrike NamedPipes
@Gusty-Dusty
Add Splunk exclusions per sysmon-modular
743a054
Merge remote-tracking branch 'DustyMMiller/master' into SwiftOnSecuri…
9dcf3b2 
…ty-PRs
cospirho and others added 30 commits May 15, 2023 13:49
@cospirho
Remove duplicates sysmonconfig-export-block
cea856d
@nasbench
Merge pull request #53 from cospirho/master
766b2a7 
feat: remove duplicate rules
@Neo23x0
new FileExecutableDetected Block
43f8ebf
@Neo23x0
Merge branch 'master' of https://github.com/Neo23x0/sysmon-config
8569801
@Neo23x0
loldrivers rules
87be34c
@Neo23x0
Update sysmonconfig-export.xml
f10d77f
@Neo23x0
fix: increase allowance for trace runs
bc734a5
@Neo23x0
feat: blocked config
21205e9
@Neo23x0
fix: schema version
65bc443
@Neo23x0
Merge pull request #56 from Neo23x0/loldrivers-extension
277c594 
loldrivers rules
@nasbench
Update sysmonconfig-export.xml
b2b5554
@nasbench
Update sysmonconfig-export-block.xml
8b8c419
@nasbench
Merge pull request #57 from nasbench/master
fa614fd 
feat: add vmware conf path
@Neo23x0
add: EDRSandblast
65c78ba 
adding EDRSandblast itself (not just the drivers used by it)
@Neo23x0
EDRSilencer hashes
2dc8575
@Neo23x0
add: EventLogCrasher
f944c05
@swachchhanda000
Add Defender administrative settings related another registry path
ae2938b
@swachchhanda000
fix: linting
8ded30c
@phantinuss
Merge pull request #62 from swachchhanda000/exclusion_reg
c794961 
Add Defender administrative settings related another registry path
@swachchhanda000 @phantinuss
Add New Pipes (#61)
d52b214 
add new pipes

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
@swachchhanda000
Add RunMRU annd TypedPaths Registry to detect potential clickfix and …
23aa78a 
…filefix attacks (#63)

add RunMRU annd TypedPaths Registry to detect potential clickfix and filefix attacks

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@Neo23x0
block bamboozlEDR
a25c042 
 https://github.com/olafhartong/BamboozlEDR/tree/main
@Neo23x0
Update sysmonconfig-export-block.xml
d65905e
@Neo23x0
add: CreateProcessAsPPL.exe
661a1c4
@Neo23x0
EDR-Freeze
db3891f
@Neo23x0
another imphash for EDR Freeze
1fdc5f8
@Neo23x0 @mback2k
DNS ServerLevelPluginDll Issue Added
9c84056 
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
(cherry picked from commit 3c36bee)
@Neo23x0
Merge pull request #64 from TKCERT/neo23x0-pr1
51f9c77 
DNS ServerLevelPluginDll Issue Added
@Neo23x0 @mback2k
Add registry keys often used by malware and windows services
5554c69 
(cherry picked from commit c612d4239156f052a67ef7d2a740d1079013726c)
@Neo23x0
Merge pull request #65 from TKCERT/neo23x0-pr2
5e79c36 
Add registry keys often used by malware and windows services
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.