@ept.gg
If you run the code, it will remove the ACL for all the services in the serviceHashList list. On reboot, these services will not start.
December 27, 2024 at 10:12 AM
If you run the code, it will remove the ACL for all the services in the serviceHashList list. On reboot, these services will not start.
#sunburst will iterate over all entries in the registry, and if it finds a match, clear the ACL of that key, and then set the owner to the local Administrator account.
December 27, 2024 at 10:12 AM
#sunburst will iterate over all entries in the registry, and if it finds a match, clear the ACL of that key, and then set the owner to the local Administrator account.
#sunburst does not kill the process of the AV, it rather changes the ownership and permissions of the service entry in HKLM:/System/CurrentControlSet/services
December 27, 2024 at 10:12 AM
#sunburst does not kill the process of the AV, it rather changes the ownership and permissions of the service entry in HKLM:/System/CurrentControlSet/services
The reason it aborts when sysmon is running, is probably that sysmon creates an event log if the service is not able to start after a reboot.
raw.githubusercontent.com/ept-team/sunbu…
raw.githubusercontent.com/ept-team/sunbu…
December 27, 2024 at 10:12 AM
The reason it aborts when sysmon is running, is probably that sysmon creates an event log if the service is not able to start after a reboot.
raw.githubusercontent.com/ept-team/sunbu…
raw.githubusercontent.com/ept-team/sunbu…