From 43f0d7703398fe67278fc98c716fa31a3ede1899 Mon Sep 17 00:00:00 2001 From: LaZyDK Date: Tue, 5 Oct 2021 21:38:01 +0200 Subject: [PATCH] Update defense_evasion_execution_windefend_unusual_path.toml (#1492) * Update defense_evasion_execution_windefend_unusual_path.toml Add Microsoft Security Client to exclusions. * Update defense_evasion_execution_windefend_unusual_path.toml Update updated_date * Updated author Co-authored-by: Justin Ibarra Co-authored-by: Jonhnathan --- .../defense_evasion_execution_windefend_unusual_path.toml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index cbafe1dea..9e716b1d8 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2021/07/07" +updated_date = "2021/09/22" [rule] -author = ["Elastic"] +author = ["Elastic", "Dennis Perto"] description = """ Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade @@ -32,7 +32,9 @@ process where event.type == "start" and (process.name : "MsMpEng.exe" and not process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", "?:\\Program Files\\Windows Defender\\*.exe", - "?:\\Program Files (x86)\\Windows Defender\\*.exe")) + "?:\\Program Files (x86)\\Windows Defender\\*.exe", + "?:\\Program Files\\Microsoft Security Client\\*.exe", + "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) '''