diff --git a/rules/windows/builtin/system/win_susp_service_installation.yml b/rules/windows/builtin/system/win_susp_service_installation.yml index fdccfcfbd..acacd0ad9 100644 --- a/rules/windows/builtin/system/win_susp_service_installation.yml +++ b/rules/windows/builtin/system/win_susp_service_installation.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious service installation commands author: pH-T date: 2022/03/18 -modified: 2022/03/24 +modified: 2022/05/02 logsource: product: windows service: system @@ -35,7 +35,9 @@ detection: - ' IAB' # PowerShell encoded commands - ' PAA' # PowerShell encoded commands - ' aQBlAHgA' # PowerShell encoded commands - condition: selection and ( suspicious1 or all of suspicious2* ) + filter_thor_remote: + ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe' + condition: selection and ( suspicious1 or all of suspicious2* ) and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 114e701d5..c830d0b07 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/11/22 +modified: 2022/05/02 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -21,11 +21,12 @@ detection: Selection: EventID: 7036 Provider_Name: 'Service Control Manager' - param1: + param1: - 'Windows Defender Antivirus Service' - 'Service antivirus Microsoft Defender' #French OS param2: 'stopped' condition: Selection falsepositives: - Administrator actions -level: high \ No newline at end of file + - Auto updates of Windows Defender causes restarts +level: low \ No newline at end of file