-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changes for readthedocs documentation
- Loading branch information
1 parent
7643c28
commit ffa2be7
Showing
4 changed files
with
52 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| ## Services and drivers | ||
|
|
||
| ### Significance | ||
|
|
||
| Malware can add new services or drivers to gain persistence, or modify existing | ||
| ones to avoid detection. | ||
|
|
||
| For example the ZeroAccess rootkit will make the following changes to the | ||
| Windows Security Service Center (WSCSVC), Windows Defender (WINDEFEND), and | ||
| Windows Firewall (MPSSVC) services, among others. | ||
|
|
||
| * Set the 'Start' value to 4, indicating that the service should be disabled | ||
| * Set the 'DeleteFlag' value to 1, indicating that the service should be removed | ||
| * Set the 'ErrorControl' value to 0 and 'Type' value to 32, causing it to fail to be started by the Service Controller without generating error messages | ||
|
|
||
| ### Settings | ||
|
|
||
| The services and drivers settings can be found in the Windows Registry key: | ||
|
|
||
| ``` | ||
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services | ||
| ``` | ||
|
|
||
| ### References | ||
|
|
||
| * [Services and drivers](https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/Services-and-drivers.html) |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| ## System Resource Usage Monitor (SRUM) | ||
|
|
||
| System Resource Usage Monitor (SRUM) is used to monitor desktop application | ||
| programs, services, Windows applications and network connections. | ||
|
|
||
| ### SRUM extensions | ||
|
|
||
| ### Database | ||
|
|
||
| The SRUM database is typically stored in: | ||
|
|
||
| ``` | ||
| C:\Windows\System32\sru\SRUDB.dat | ||
| ``` | ||
|
|
||
| SRUM uses the Extensible Storage Engine (ESE) Database File (EDB) to store | ||
| its folder data. | ||
|
|
||
| ### References | ||
|
|
||
| * [System Resource Usage Monitor (SRUM) database](https://github.com/libyal/esedb-kb/blob/main/documentation/System%20Resource%20Usage%20Monitor%20(SRUM).asciidoc) | ||
| * SRUM forensics, by Yogesh Khatri |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters