From 979502921feff32e1fe81fbab0087abdf6fb0a4c Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 28 Sep 2022 06:23:50 +0900
Subject: [PATCH 1/2] define security-mitigations service

---
 .../win_security_mitigations_defender_load_unsigned_dll.yml  | 2 +-
 ..._security_mitigations_unsigned_dll_from_susp_location.yml | 2 +-
 tools/config/generic/windows-services.yml                    | 5 +++++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
index e1cdc5070..12ae57714 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
@@ -12,7 +12,7 @@ tags:
     - attack.t1574.002
 logsource:
     product: windows
-    category: security-mitigations
+    service: security-mitigations
 detection:
     selection:
         EventID:
diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
index 6c202bf1c..f5e425899 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
@@ -12,7 +12,7 @@ tags:
     - attack.t1574.002
 logsource:
     product: windows
-    category: security-mitigations
+    service: security-mitigations
 detection:
     selection:
         EventID:
diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml
index 0ca38a90f..11bc25aa4 100644
--- a/tools/config/generic/windows-services.yml
+++ b/tools/config/generic/windows-services.yml
@@ -176,3 +176,8 @@ logsources:
         service: shell-core
         conditions:
             Channel: 'Microsoft-Windows-Shell-Core/Operational'
+    security-mitigations:
+        product: windows
+        service: security-mitigations
+        conditions:
+            Provider_Name: 'Microsoft-Windows-Security-Mitigations'
\ No newline at end of file

From e44e01e106bc673848269ae061842e465d6fba86 Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Wed, 28 Sep 2022 06:32:34 +0900
Subject: [PATCH 2/2] update modified tag

---
 .../win_security_mitigations_defender_load_unsigned_dll.yml     | 2 +-
 ...win_security_mitigations_unsigned_dll_from_susp_location.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
index 12ae57714..aa7d64829 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
@@ -6,7 +6,7 @@ references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
 author: Bhabesh Raj
 date: 2022/08/02
-modified: 2022/08/05
+modified: 2022/09/28
 tags:
     - attack.defense_evasion
     - attack.t1574.002
diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
index f5e425899..5e2c4ddce 100644
--- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
+++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
 author: Nasreddine Bencherchali
 date: 2022/08/03
-modified: 2022/08/05
+modified: 2022/09/28
 tags:
     - attack.defense_evasion
     - attack.t1574.002