Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: services.exe modifying synattackprotect?

From: Christophe Vandeplas <christophe () vandeplas com>
Date: Fri, 10 Dec 2010 09:36:40 +0100
On Thu, Dec 9, 2010 at 6:23 PM,  <techlists () comcast net> wrote:

Why would 'C:\Windows\system32\services.exe' be trying to change the following registry key?

\REGISTRY\MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\SYNATTACKPROTECT

Is this an indication of an attack or a normal part of the 'services.exe' process?


Hi  PG,

You should read this paper [1] to understand what the synattackprotect
parameter does.
The big question is more: To what is the parameter changed?

If it was changed to 0, so deactivating synattack protection, I would
seriously ask myself questions.
But if it was changed to 1, enabling another protection... then I'd
check with my sysadmin if some Active Directory group policies were
changed (manually or because of the installation of a patch)

[1] http://technet.microsoft.com/en-us/library/cc938202.aspx

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: