From 850d4fcd50d051fbcd21733be500ce2d9c460482 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 00:20:56 +0100 Subject: [PATCH] feat: update windefend rules --- .../windefend/win_defender_amsi_trigger.yml | 2 +- .../windefend/win_defender_disabled.yml | 14 +++---- .../windefend/win_defender_exclusions.yml | 10 ++--- .../win_defender_exploit_guard_tamper.yml | 15 ++++---- .../windefend/win_defender_history_delete.yml | 7 ++-- .../win_defender_restored_quarantine_file.yml | 21 ++++++++++ ...defender_suspicious_features_tampering.yml | 38 +++++++++++++++++++ ...win_defender_tamper_protection_trigger.yml | 20 +++++++--- .../builtin/windefend/win_defender_threat.yml | 8 ++-- 9 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml create mode 100644 rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1f80579fe 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -15,7 +15,7 @@ logsource: service: windefend detection: selection: - EventID: 1116 + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. Source_Name: 'AMSI' condition: selection falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..580404ce4 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 - NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..c2924356e 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,18 +6,19 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - NewValue|contains: + New_Value|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..d997b9ae7 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..49431e1f1 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\Features\TamperProtection' + - '\Windows Defender\Scan\DisableRemovableDriveScanning' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + - '\Real-Time Protection\SpyNetReporting' + - '\Real-Time Protection\SubmitSamplesConsent' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely