From 94675a63dbe98ca1bd4c51948e691ac67f1726dc Mon Sep 17 00:00:00 2001
From: Gameel Ali <gameelaa29@gmail.com>
Date: Tue, 31 Dec 2024 03:11:54 -0800
Subject: [PATCH] Update proc_creation_win_reg_windows_defender_tamper.yml

---
 .../proc_creation_win_reg_windows_defender_tamper.yml     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml
index 0454906c711..20cf82f00e3 100644
--- a/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml
+++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml
@@ -6,9 +6,10 @@ references:
     - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
     - https://github.com/swagkarna/Defeat-Defender-V1.2.0
     - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
+    - https://tria.ge/241231-j9yatstqbm/behavioral1
 author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
 date: 2022-03-22
-modified: 2023-06-05
+modified: 2024-12-31
 tags:
     - attack.defense-evasion
     - attack.t1562.001
@@ -59,6 +60,11 @@ detection:
             - 'DisableScriptScanning'
             - 'Notification_Suppress'
             - 'SignatureDisableUpdateOnStartupWithoutEngine'
+            - 'DisableCloudProtection'
+            - 'DisableNetworkProtection'
+            - 'DisableAntiVirusSignatures'
+            - 'DisableAccess'
+            - 'DisableSecurityCenter'
     condition: all of selection_root_* and 1 of selection_dword_*
 falsepositives:
     - Rare legitimate use by administrators to test software (should always be investigated)