From 5b3c69f7624e6b785d709e6b937562e2bb619227 Mon Sep 17 00:00:00 2001
From: Daren Cook <8darenc@gmail.com>
Date: Fri, 14 Jul 2023 15:35:58 -0700
Subject: [PATCH 1/4] Update include_psexec.xml
Added PSExec_psh Activity
---
17_18_pipe_event/include_psexec.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/17_18_pipe_event/include_psexec.xml b/17_18_pipe_event/include_psexec.xml
index ab19452d..062779b1 100644
--- a/17_18_pipe_event/include_psexec.xml
+++ b/17_18_pipe_event/include_psexec.xml
@@ -3,7 +3,11 @@
\PSEXESVC
+
+ ADMIN$;C$;IPC$
+ .exe;.dll
+
-
\ No newline at end of file
+
From 600d9a90d5dd5763f7dd7c871bf4880be9d183bc Mon Sep 17 00:00:00 2001
From: Daren Cook <8darenc@gmail.com>
Date: Fri, 14 Jul 2023 16:05:13 -0700
Subject: [PATCH 2/4] Create include_windows_secureboot.xml
Initial Deploy
---
.../include_windows_secureboot.xml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 12_13_14_registry_event/include_windows_secureboot.xml
diff --git a/12_13_14_registry_event/include_windows_secureboot.xml b/12_13_14_registry_event/include_windows_secureboot.xml
new file mode 100644
index 00000000..d72ec147
--- /dev/null
+++ b/12_13_14_registry_event/include_windows_secureboot.xml
@@ -0,0 +1,11 @@
+
+
+ *
+
+
+
+ HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State
+
+
+
+
From 23f30ef2c68d39173296c43084ed48cc7fd6c11f Mon Sep 17 00:00:00 2001
From: Daren Cook <8darenc@gmail.com>
Date: Fri, 14 Jul 2023 16:21:36 -0700
Subject: [PATCH 3/4] Create include_office_process_creation.xml
Initial Deploy
---
.../include_office_process_creation.xml | 14 ++++++++++++++
1 file changed, 14 insertions(+)
create mode 100644 10_process_access/include_office_process_creation.xml
diff --git a/10_process_access/include_office_process_creation.xml b/10_process_access/include_office_process_creation.xml
new file mode 100644
index 00000000..52060bbe
--- /dev/null
+++ b/10_process_access/include_office_process_creation.xml
@@ -0,0 +1,14 @@
+
+
+ *
+
+
+
+
+ C:\Program Files;\Microsoft Office\Root\Office
+ C:\Windows\System32\KERNELBASE.dll+76516
+
+
+
+
+
From 5c1dc95b1a2591a020140314938a253972d75789 Mon Sep 17 00:00:00 2001
From: Daren Cook <8darenc@gmail.com>
Date: Fri, 14 Jul 2023 16:31:16 -0700
Subject: [PATCH 4/4] Create exclude_zoom.xml
Initial Deploy
---
7_image_load/exclude_zoom.xml | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
create mode 100644 7_image_load/exclude_zoom.xml
diff --git a/7_image_load/exclude_zoom.xml b/7_image_load/exclude_zoom.xml
new file mode 100644
index 00000000..3f4a9d8a
--- /dev/null
+++ b/7_image_load/exclude_zoom.xml
@@ -0,0 +1,20 @@
+
+
+ *
+
+
+
+
+ C:\Users\;\AppData\Roaming\Zoom\bin\;dll
+ C:\Windows\System32\
+ Zoom Video Communications
+
+
+ C:\Users\;\AppData\Roaming\Zoom\bin\;dll
+ C:\Users\;\AppData\Roaming\Zoom\bin\;exe
+ Zoom Video Communications
+
+
+
+
+