Description Let’s say our objective is to determine whether there is persistence during system boot or login, one of the most straightforward and effective methods is to use Microsoft Sysinternals Autoruns.
Another point we’ll address in this lesson is whether the presence of verified applications at the AD Environment level is sufficient evidence to trust these applications.
Specifically, we’ll explore how to recognize and detect the technique known as “Subvert Trust Controls: Install Root Certificate” (T1553.004).
To achieve this, we’ll need to analyze the behavior of applications, their digital signatures, and any potential deviations from expected trust controls.
Video Link IR & TH Series - Velociraptor EDR Autoruns [ARABIC]