Update the Antivirus Tampering configuration, using general condition

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing

4.68k stars 1.69k forks source link

Update the Antivirus Tampering configuration, using general condition #160

Open hieuttmmo opened 2 years ago

hieuttmmo commented 2 years ago

As mentioned in the DFIR Report, another techniques might be use to disable Defender Real-Time Protection mechanism. So in this PR, i want to use a general condition for monitor all changes in the Defender Registry Path.

DFIR Report: https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
Disable Defender Script: https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105

hieuttmmo commented 2 years ago

FYI: Already tested this config on my home-lab and it worked great.