search

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.
MIT License
9.79k stars 2.8k forks source link

Add new atomic - T1518.001.yaml #2965

Closed krdmnbrk closed 2 weeks ago

krdmnbrk commented 3 weeks ago

Details: This update adds a new atomic test to execute a WMIC command that retrieves Windows Defender exclusion settings. It helps simulate how attackers might identify configurations that disable real-time monitoring or specify excluded paths, file types, and processes.

Testing: Tested on a local windows machine, confirming that the WMIC command correctly retrieves the desired configuration details without errors. Screenshot below.

image

patel-bhavin commented 2 weeks ago

Great contribution @krdmnbrk !