sysmon-config
sysmon-config copied to clipboard
Update the Antivirus Tampering configuration, using general condition
As mentioned in the DFIR Report, another techniques might be use to disable Defender Real-Time Protection mechanism. So in this PR, i want to use a general condition for monitor all changes in the Defender Registry Path.
- DFIR Report: https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- Disable Defender Script: https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
FYI: Already tested this config on my home-lab and it worked great.