mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
fix: fixing issues
This commit is contained in:
parent
9828d7f81d
commit
0a4d32c7c7
@ -1,24 +1,26 @@
|
||||
title: Bypass Windows Defender
|
||||
description: 'Detects scenarios where an windows defender exclusion was added in registry
|
||||
where an entity would want to bypass antivirus scanning from windows defender
|
||||
title: Windows Defender Exclusion Set
|
||||
id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
|
||||
description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
|
||||
references:
|
||||
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1089
|
||||
author: '@BarryShooshooga'
|
||||
author: "@BarryShooshooga"
|
||||
date: 2019/10/26
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4657
|
||||
EventID: 4656
|
||||
EventID: 4660
|
||||
EventID: 4663
|
||||
ObjectName|startswith: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\'
|
||||
EventID:
|
||||
- 4657
|
||||
- 4656
|
||||
- 4660
|
||||
- 4663
|
||||
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- intended inclusions by administrator
|
||||
- Intended inclusions by administrator
|
||||
level: high
|
||||
|
Loading…
Reference in New Issue
Block a user