From 6719ac2628e996bbc87e7edb600806c604bb83e1 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Tue, 17 Feb 2026 15:47:24 +0100 Subject: [PATCH 1/2] Clean up comments in auxiliary.conf.default Removed outdated comments regarding Windows dependencies and registry entries. --- conf/default/auxiliary.conf.default | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/conf/default/auxiliary.conf.default b/conf/default/auxiliary.conf.default index 85e9d63bf0d..3e7b137f452 100644 --- a/conf/default/auxiliary.conf.default +++ b/conf/default/auxiliary.conf.default @@ -1,20 +1,3 @@ -# Requires dependencies of software in vm as by: -# https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html -# Windows 7 SP1, .NET at least 4.5, powershell 5 preferly over v4 -# KB3109118 - Script block logging back port update for WMF4 -# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x64.msu -# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB3109118-v4-x86.msu -# KB2819745 - WMF 4 (Windows Management Framework version 4) update for Windows 7 -# x64 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x64-MultiPkg.msu -# x32 - https://cuckoo.sh/vmcloak/Windows6.1-KB2819745-x86-MultiPkg.msu -# KB3191566 - https://www.microsoft.com/en-us/download/details.aspx?id=54616 -# You should create following registry entries -# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" /v * /t REG_SZ /d * /f /reg:64 -# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 00000001 /f /reg:64 -# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 00000001 /f /reg:64 -# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d C:\PSTranscipts /f /reg:64 -# reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableInvocationHeader /t REG_DWORD /d 00000001 /f /reg:64 - # Modules to be enabled or not inside of the VM [auxiliary_modules] browser = yes From 4c6c68636ae3a9915b6dcfece50da32a53ff2ca8 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Tue, 17 Feb 2026 15:47:52 +0100 Subject: [PATCH 2/2] Rename 'amsi' section to 'amsi_etw' --- conf/default/processing.conf.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/default/processing.conf.default b/conf/default/processing.conf.default index 4d28e0fdd81..dee18d6696d 100644 --- a/conf/default/processing.conf.default +++ b/conf/default/processing.conf.default @@ -29,7 +29,7 @@ enabled = no [dumptls] enabled = no -[amsi] +[amsi_etw] enabled = no [behavior]