This artifact will attempt to identify Cortex EDR that has been disabled via regkey
name: Windows.Registry.CortexEDRDisabled
author: Rhys Jenkins @Rhysistance
description: |
This artifact will attempt to identify Cortex EDR that has been disabled via regkey
reference:
- https://mrd0x.com/cortex-xdr-analysis-and-bypass/
parameters:
- name: KeyGlob
default: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Parameters\ServiceDll
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
SELECT Name,Data.value as DllName,Fqdn FROM glob(globs=KeyGlob, accessor="reg") WHERE NOT DllName =~ "cryptsvc\.dll"