Aktualizacja: 2025-10-20 02:33:16

2025-10-20 02:33:16 +02:00
parent 3a2dcb9850
commit 9ee844dc8a
1 changed files with 1 additions and 1 deletions
--- a/README.md
+++ b/README.md
@@ -1484,7 +1484,7 @@ While KVC employs evasion techniques, its operations can still leave forensic ar
      * **Event ID 4624:** Logon - shows logons associated with Sticky Keys backdoor (`SYSTEM` logon from `winlogon.exe` context).
  * **File System Artifacts:**
      * **`kvc.exe`, `kvc_pass.exe`:** The executables themselves.
-      * **Temporary Driver:** `kvc.sys` briefly present in a system location (likely DriverStore FileRepository or System32\\drivers) during atomic operations.
+      * **Temporary Driver:** `kvc.sys` is briefly present in `C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_XXXXXXXXXXXX\` during atomic operations. This location is dynamically resolved at runtime by querying the actual subdirectory name (e.g., `avc.inf_amd64_12ca23d60da30d59`), which varies per system. Importantly, this directory is protected by ACLs that grant write access only to **TrustedInstaller**, not to standard administrators - KVC must elevate to TI privileges before placing the driver here.
      * **Hijacked DLL:** `ExplorerFrame<U+200B>.dll` in `C:\Windows\System32` when watermark removal is active.
      * **Memory Dumps:** `.dmp` files created by `kvc dump` in the specified or default (`Downloads`) location.
      * **Credential Reports:** `.html`, `.txt`, `.json` files generated by `kvc export secrets` or `kvc bp` in the specified or default (`Downloads`) location.