### Execute MentalTi Monitoring Source: https://github.com/mannyfred/mentalti/blob/main/README.md Command-line examples for running the MentalTi executable with different process filtering modes and optional stack tracing. ```bash MentalTi.exe -proc all "0x40 | 0x1000" log.json MentalTi.exe -proc all-og "0x100000 | 0x200000" log.json MentalTi.exe -proc 6969 "0x4 | 0x4000" log.json MentalTi.exe -proc all-og "0x4 | 0x40 | 0x400 | 0x1000" log.json -trace 1,2,3 ``` -------------------------------- ### Clone and Setup MentalTi Source: https://github.com/mannyfred/mentalti/blob/main/README.md Instructions for cloning the repository and configuring the Windows environment to run the kernel driver required for ETW-Ti monitoring. ```bash git clone --recurse-submodules https://github.com/mannyfred/MentalTi bcdedit /set testsigning on # Reboot required after enabling testsigning sc create random type= kernel binpath= C:\Users\someone\Downloads\KMentalTi.sys sc start random ``` -------------------------------- ### Manage Kernel Driver Lifecycle Source: https://context7.com/mannyfred/mentalti/llms.txt Commands to configure the system for driver loading by enabling test signing mode and managing the driver service via the Service Control Manager. ```bash bcdedit /set testsigning on sc create random type= kernel binpath= C:\Users\someone\Downloads\KMentalTi.sys sc start random sc stop random sc delete random ``` -------------------------------- ### Detect RW to RX Remote Protection Changes using jq Source: https://context7.com/mannyfred/mentalti/llms.txt Filters logs for remote memory protection transitions from Read-Write (4) to Read-Execute (32). This pattern is frequently used by attackers to write shellcode into memory and subsequently mark it as executable. ```bash cat log.json | jq -s '[.[] | select(.Metadata.EventId == 2 and .Data.LastProtectionMask == 4 and .Data.ProtectionMask == 32)]' ``` -------------------------------- ### Detect Memory Protection Fluctuations using jq Source: https://context7.com/mannyfred/mentalti/llms.txt Analyzes JSON logs to identify memory regions with frequent protection changes, a common indicator of shellcode execution. It groups events by base address and filters for regions exhibiting more than three protection flips. ```bash cat log.json | jq -s '[.[] | select(.Metadata.EventId == 7) | {PID: .Metadata.ProcessId, Base: .Data.BaseAddress, Exe: .Metadata.Exe, Flip: [.Data.ProtectionMask, .Data.LastProtectionMask]}] | group_by(.Base) | map(. as $group | {ProcessId: $group[0].PID, BaseAddress: $group[0].Base, Exe: $group[0].Exe, Flips: (reduce $group[] as $item ([]; if length == 0 or .[-1][0] != $item.Flip[1] then . + [$item.Flip] else . end) | length - 1)} | select(.Flips > 3))' ``` -------------------------------- ### Detect Indirect Syscalls using jq Source: https://context7.com/mannyfred/mentalti/llms.txt Performs stacktrace analysis to detect randomized indirect syscall usage. It flags events where the top stack frame does not match the expected syscall stub address. ```bash cat log.json | jq -s '[ .[] | select(.Metadata.EventId == 2 and .Metadata.Stack[0] != "ntdll!NtProtectVirtualMemory+0x14") ]' ``` -------------------------------- ### Detect Remote Writes to KnownDlls using jq Source: https://context7.com/mannyfred/mentalti/llms.txt Monitors for remote write operations targeting KnownDlls memory addresses. Such activity may indicate attempts at API hooking or ntdll unhooking. ```bash cat log.json | jq -s '[ .[] | select(.Metadata.EventId == 14) | select(.Data.BaseAddress | length > 1)]' ``` -------------------------------- ### Detect APC Injection in Unbacked Memory using jq Source: https://context7.com/mannyfred/mentalti/llms.txt Identifies remote APC queueing operations targeting unbacked memory regions. This technique is often associated with the QueueUserAPC code injection method. ```bash cat log.json | jq -s '[ .[] | select(.Metadata.EventId == 4) | select(.Data.ApcRoutineVadMmfName == 0) | { CallingPID: .Data.CallingProcessId, CallingTID: .Data.CallingThreadId, TargetPID: .Data.TargetProcessId, TargetTID: .Data.TargetThreadId, ApcRoutine: .Data.ApcRoutine }]' ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.