-
Notifications
You must be signed in to change notification settings - Fork 514
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Windows DR Tuning - 5 #3229
Conversation
@@ -99,7 +99,7 @@ registry where host.os.type == "windows" and event.type : ("creation", "change") | |||
( | |||
registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and | |||
registry.value: "BehaviorOnFailedVerify" and | |||
registry.data.strings : ("0", "0x00000000", "1", "0x00000001") | |||
registry.data.strings : ("0", "0x00000000") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to reflect this change in the rule name as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can leave it as is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Aegrah I was taking a second look at this one, and it seems that the original logic is the way to go here
Will exclude it for now, and explore other tuning opportunities
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
* [Rule Tuning] Windows DR Tuning - 5 * . * Revert changes BehaviorOnFailedVerify --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit e5d6767)
Issues
Part of #3186
Summary
Tunes the following rules:
Code Signing Policy Modification Through Registry