fix: fixing issues

2024-11-07 17:58:52 +00:00 · 2020-01-30 10:07:24 +01:00 · 2020-01-30 10:07:24 +01:00 · 0a4d32c7c7
commit 0a4d32c7c7
parent 9828d7f81d
1 changed files with 12 additions and 10 deletions
--- a/rules/windows/other/win_defender_bypass.yml
+++ b/rules/windows/other/win_defender_bypass.yml
@ -1,24 +1,26 @@
-title: Bypass Windows Defender
-description: 'Detects scenarios where an windows defender exclusion was added in registry
-    where an entity would want to bypass antivirus scanning from windows defender
+title: Windows Defender Exclusion Set
+id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
+description: 'Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender'
 references:
    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
 tags:
    - attack.defense_evasion
    - attack.t1089
-author: '@BarryShooshooga'
+author: "@BarryShooshooga"
+date: 2019/10/26
 logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
 detection:
    selection:
-        EventID: 4657
-        EventID: 4656
-        EventID: 4660
-        EventID: 4663
-        ObjectName|startswith: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\'
+        EventID: 
+            - 4657
+            - 4656
+            - 4660
+            - 4663
+        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
    condition: selection
 falsepositives: 
-    - intended inclusions by administrator
+    - Intended inclusions by administrator
 level: high