security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: fp with defender def updates

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-11-10 17:15:22 +01:00
parent 14d13ef9ac
commit 30869e1b2b
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/system/win_system_susp_service_installation.yml
+2
View File
@@ -44,6 +44,8 @@ detection:
- ' aQBlAHgA' # PowerShell encoded commands
filter_thor_remote:
ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
filter_defender_def_updates:
ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
condition: selection and ( suspicious1 or all of suspicious2* ) and not 1 of filter_*
falsepositives:
- Unknown