operat0r_001 Posted April 29, 2019 Share Posted April 29, 2019 (edited) I wanted to ask around before I create my own for the LAN Turtle but the current OIC we have is for ANY realtek device with PID 8152. Basically looking for out of the box file paths or if anybody has a Process monitor log or created OIC's for it before. I also wanted to know if there any different revs I am missing (the one I got was in a little envelope lily about 1-3 yers old. So I can add IOC's for them. (regmod:enum\usb\vid_0bda&pid_8152) Edited May 26, 2019 by operat0r_001 Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted May 26, 2019 Author Share Posted May 26, 2019 UPDATE: looks like as far as USB everything else is dynamic... I used USBDeview.exe from sysinternals to sort out the bits. I plan to look at what drivers it uses with process monitor and go from there. The issue there is it may be different from win 7 to 10 or builds of windows etc... Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted July 10, 2019 Author Share Posted July 10, 2019 w00t the old alert was triggering on ANY 8152 (realtek) Device ... these added modload triggers will minimize false positives tested with only windows 10 q=modload:rassstp.sys modload:rtux64w10.sys (regmod:enum\usb\vid_0bda&pid_8152) added modload:rassstp.sys to confirmed use of LAN turtle to reduce false positives Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.