Скачать с ютуб Threat Hunt Deep Dives Ep. 7 - User Account Control Bypass via Registry Modification в хорошем качестве

Threat Hunt Deep Dives Ep. 7 - User Account Control Bypass via Registry Modification

Welcome to Threat Hunt Deep Dives, Episode 7! Today we are looking at the Registry Key Modification method, one that abuses registry keys by creating or modifying values that some trusted Windows executables look for during their process execution. Join us as we put this method under the microscope. Cyborg Security is changing the Threat Hunting game, check us out at: https://www.cyborgsecurity.com/   / cyborgsecinc     / cyborg-security   *Resources: Technical Blogs: https://pentestlab.blog/2017/06/09/ua... https://www.fireeye.com/blog/threat-r... https://www.fortinet.com/blog/threat-... Blogs: https://www.bleepingcomputer.com/news... https://cqureacademy.com/cqure-labs/c... *Information: https://attack.mitre.org/techniques/T... https://docs.microsoft.com/en-us/wind... https://www.maketecheasier.com/enable... https://www.neuber.com/taskmanager/pr... https://docs.microsoft.com/en-us/sysi... *Sample Queries: Process Create: (EventCode=4688 (WineventLog) OR EventCode=1 (Sysmon)) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe") Registry Key Modification: EventCode=4657 (WineventLog) OR EventCode=13 (Sysmon) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe") Powershell Script Logging: EventCode=4104 (Powershell Logging) AND (RegistryKeyPath="Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command" OR RegistryKeyPath="Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe") Chapters: Intro: 0:00 Overview: 0:33 Emulation: 7:44 Hunt: 19:53