Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@xuanxuan0
xuanxuan0 authored Apr 8, 2021
1 parent a4b76ac commit ddf958b
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,14 @@ An accompanying blog post can be found here: https://blog.redbluepurple.io/windo
- [ ] Risk based detection lifecycle

### Setup instructions
Assuming you do not have a Microsoft-trusted signing certificate:
- Put your machine in the test signing mode with bcdedit
- Generate a self-signed certificate with ELAM and Code Signing EKU
- Sign TiEtwAgent.exe and your ELAM driver with the certificate
- ./TiEtwAgent install
- net start TiEtwAgent
- Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt

PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver

Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html

0 comments on commit ddf958b

Please sign in to comment.