feat: update windefend rules

2022-12-07 00:20:56 +01:00
parent 1091b83d59
commit 850d4fcd50
9 changed files with 101 additions and 34 deletions
@@ -15,7 +15,7 @@ logsource:
    service: windefend
 detection:
    selection:
-        EventID: 1116
+        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.
        Source_Name: 'AMSI'
    condition: selection
 falsepositives:
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
 author: Ján Trenčanský, frack113
 date: 2020/07/28
-modified: 2022/05/06
+modified: 2022/12/06
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -17,11 +17,11 @@ logsource:
 detection:
    selection:
        EventID:
-            - 5001
-            - 5010
-            - 5012
-            - 5101
+            - 5001 # Real-time protection is disabled.
+            - 5010 # Scanning for malware and other potentially unwanted software is disabled.
+            - 5012 # Scanning for viruses is disabled.
+            - 5101 # The antimalware platform is expired.
    condition: selection
 falsepositives:
-    - Administrator actions
-level: low
+    - Administrator actions (should be investigated)
+level: high
@@ -6,7 +6,7 @@ references:
    - https://twitter.com/_nullbind/status/1204923340810543109
 author: Christian Burkard
 date: 2021/07/06
-modified: 2022/02/02
+modified: 2022/12/06
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -14,10 +14,10 @@ logsource:
    product: windows
    service: windefend
 detection:
-    selection1:
-        EventID: 5007
-        NewValue|contains: '\Microsoft\Windows Defender\Exclusions'
-    condition: selection1
+    selection:
+        EventID: 5007 # The antimalware platform configuration changed.
+        New_Value|contains: '\Microsoft\Windows Defender\Exclusions'
+    condition: selection
 falsepositives:
    - Administrator actions
 level: medium
@@ -6,18 +6,19 @@ references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
 author: Nasreddine Bencherchali
 date: 2022/08/05
+modified: 2022/12/06
 tags:
-    - attack.execution
-    - attack.t1059
+    - attack.defense_evasion
+    - attack.t1562.001
 logsource:
    product: windows
    service: windefend
 detection:
    allowed_apps_key:
-        EventID: 5007
-        NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
+        EventID: 5007 # The antimalware platform configuration changed.
+        New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
    allowed_apps_path:
-        NewValue|contains:
+        New_Value|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
@@ -25,9 +26,9 @@ detection:
            - '\PerfLogs\'
            - '\Windows\Temp\'
    protected_folders:
-        EventID: 5007
+        EventID: 5007 # The antimalware platform configuration changed.
        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
-        OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
+        Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
    condition: all of allowed_apps* or protected_folders
 falsepositives:
    - Unlikely
@@ -4,23 +4,22 @@ status: test
 description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software".
 references:
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus
+    - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
 author: Cian Heasley
 date: 2020/08/13
 modified: 2022/10/09
 tags:
    - attack.defense_evasion
-    - attack.t1070.001
 logsource:
    product: windows
    service: windefend
 detection:
    selection:
-        EventID: 1013
-        EventType: 4
+        EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software.
    condition: selection
 fields:
    - EventID
    - EventType
 falsepositives:
    - Deletion of Defender malware detections history for legitimate reasons
-level: high
+level: low
@@ -0,0 +1,21 @@
+title: Win Defender Restored Quarantine File
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+status: experimental
+description: Detects the restoration of files from the defender quarantine
+references:
+    - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
+author: Nasreddine Bencherchali
+date: 2022/12/06
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID: 1009 # The antimalware platform restored an item from quarantine.
+    condition: selection
+falsepositives:
+    - Legitimate administrator activity restoring a file
+level: high
@@ -0,0 +1,38 @@
+title: Windows Defender Suspicious Configuration Changes
+id: 57b649ef-ff42-4fb0-8bf6-62da243a1708
+related:
+    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+      type: similar
+    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886
+      type: similar
+status: stable
+description: Detects suspicious changes to the windows defender configuration
+references:
+    - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
+    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
+author: Nasreddine Bencherchali
+date: 2022/12/06
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: windows
+    service: windefend
+detection:
+    selection:
+        EventID: 5007 # The antimalware platform configuration changed.
+        New_Value|contains:
+            # TODO: Add more suspicious values
+            - '\Windows Defender\DisableAntiSpyware'
+            - '\Windows Defender\Features\TamperProtection'
+            - '\Windows Defender\Scan\DisableRemovableDriveScanning'
+            - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan'
+            - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen'
+            - '\Real-Time Protection\SpyNetReporting'
+            - '\Real-Time Protection\SubmitSamplesConsent'
+            # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+            # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886
+    condition: selection
+falsepositives:
+    - Administrator activity (must be investigated)
+level: high
@@ -1,11 +1,13 @@
 title: Microsoft Defender Tamper Protection Trigger
 id: 49e5bc24-8b86-49f1-b743-535f332c2856
 status: stable
-description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
+description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
 references:
    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection
-author: Bhabesh Raj
+    - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
+author: Bhabesh Raj, Nasreddine Bencherchali
 date: 2021/07/05
+modified: 2022/12/06
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -14,11 +16,17 @@ logsource:
    service: windefend
 detection:
    selection:
-        EventID: 5013
+        EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.
        Value|endswith:
-            - '\Windows Defender\DisableAntiSpyware = 0x1()'
-            - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)'
+            - '\Windows Defender\DisableAntiSpyware'
+            - '\Windows Defender\DisableAntiVirus'
+            - '\Windows Defender\Scan\DisableArchiveScanning'
+            - '\Windows Defender\Scan\DisableScanningNetworkFiles'
+            - '\Real-Time Protection\DisableRealtimeMonitoring'
+            - '\Real-Time Protection\DisableBehaviorMonitoring'
+            - '\Real-Time Protection\DisableIOAVProtection'
+            - '\Real-Time Protection\DisableScriptScanning'
    condition: selection
 falsepositives:
-    - Administrator actions
+    - Administrator might try to disable defender features during testing (must be investigated)
 level: high
@@ -15,10 +15,10 @@ logsource:
 detection:
    selection:
        EventID:
-            - 1006
-            - 1116
-            - 1015
-            - 1117
+            - 1006 # The antimalware engine found malware or other potentially unwanted software.
+            - 1116 # The antimalware platform detected malware or other potentially unwanted software.
+            - 1015 # The antimalware platform detected suspicious behavior.
+            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
    condition: selection
 falsepositives:
    - Unlikely