valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

split global win_defender_exclusions.yml

Browse Source
This commit is contained in:
frack113 2021-09-21 10:16:25 +02:00
parent 318f8b714e
commit 2b23118b0d
2 changed files with 33 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/windows/other/win_defender_exclusions.yml
View File

@ -1,7 +1,8 @@
action: global
title: Windows Defender Exclusions Added
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
description: Detects the Setting of Windows Defender Exclusions
date: 2021/07/06
modified: 2021/09/21
author: Christian Burkard
references:
- https://twitter.com/_nullbind/status/1204923340810543109
@ -10,11 +11,6 @@ tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
falsepositives:
- Administrator actions
level: medium
---
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
logsource:
product: windows
service: windefend
@ -23,13 +19,6 @@ detection:
EventID: 5007
New Value|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection1
---
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
logsource:
product: windows
category: registry_event
detection:
selection2:
EventID: 13
TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection2
falsepositives:
- Administrator actions
level: medium

28
rules/windows/registry_event/registry_event_defender_exclusions.yml Normal file
View File

@ -0,0 +1,28 @@
title: Windows Defender Exclusions Added
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: derived
description: Detects the Setting of Windows Defender Exclusions
date: 2021/07/06
modified: 2021/09/21
author: Christian Burkard
references:
- https://twitter.com/_nullbind/status/1204923340810543109
status: test
tags:
- attack.defense_evasion
- attack.t1089 # an old one
- attack.t1562.001
logsource:
product: windows
category: registry_event
detection:
selection2:
#EventID: 13
EventType: SetValue
TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
condition: selection2
falsepositives:
- Administrator actions
level: medium