security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update posh_ps_tamper_defender_remove_mppreference.yml

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-08-05 18:45:44 +01:00
parent b4472132a4
commit b6bac087ef
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
+2 -2
View File
@@ -15,9 +15,9 @@ logsource:
definition: Script block logging must be enabled
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
ScriptBlockText|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
ScriptBlockText|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '