John U
John U
The legacy NetLogon ETW provider includes NegotiatedFlags parameter of the NetrServerAuthenticate3 MS-NRPC call. The 2nd bit is the 'Secure RPC' flag which Zerologon needs to disable. Flagging on Netlogon authentication...
> Microsoft Message Analyzer (MMA) was retired and its download packages removed from microsoft.com sites on November 25 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in...
## Description Thread Creation events (ideally via a `PsSetCreateThreadNotifyRoutine` callback) are a useful telemetry source. References - https://bruteratel.com/release/2022/11/17/Release-Resurgence/ "Several changes were also made to how a local thread was created...
Detouring a function should not break our ability to walk the call stack. On X64, suggest that we require the Detour to reside in MEM_IMAGE so that Windows has access...
Hey Detours folks, Just a couple of suggestions for choosing the trampoline location. The X86 range reserved for system DLLs is not up to date. The X64 "not +/- 1GB...
Hey @nasbench I just noticed that some manifests aren't installed by default - and require the OS feature to be enabled first. For example, you need to add the DNS...
A Category for Win32 API telemetry would be useful. These are a primary data source for most EDRs. This data is available from Kernel ETW (especially [Threat-Intelligence](https://github.com/jdu2600/Windows10EtwEvents/blob/main/manifest/Microsoft-Windows-Threat-Intelligence.tsv)) or [user-mode hooks](https://github.com/Mr-Un1k0d3r/EDRs)....
[xpost] https://github.com/center-for-threat-informed-defense/summiting-the-pyramid/issues/61#issuecomment-2709971285 [This page](https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/D3/) lists it as a user mode source but Sysmon collects this information via a [kernel callback](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks). I'm not sure what value your separation of application and...
The stringTable in the instrumentation manifest generated by GetManifestForRegisteredProvider() can have duplicate elements. e.g. Microsoft-JScript provider's manifest includes - ``` ```
GetManifestForRegisteredProvider() produces XML that does not correctly escape quotes " and angled braces . The generated manifest for Microsoft-Windows-Ntfs has examples of both characters. Other examples are Microsoft-Windows-AppXDeployment-Server, Microsoft-Windows-GroupPolicy and...