From b97069c3e9752cc0f42c5b37566912aea97c5da3 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 28 Jun 2024 08:16:11 +0100 Subject: [PATCH] Update defense_evasion_microsoft_defender_tampering.toml (#3840) Co-authored-by: Mika Ayenson --- .../defense_evasion_microsoft_defender_tampering.toml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 013245ca2..85b1a7dc0 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/27" [rule] author = ["Austin Songer"] @@ -88,6 +88,12 @@ type = "eql" query = ''' registry where host.os.type == "windows" and event.type in ("creation", "change") and + process.executable != null and + not process.executable : + ("?:\\Windows\\system32\\svchost.exe", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\System32\\DeviceEnroller.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe") and (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and registry.data.strings : ("0", "0x00000000")) or (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and