msnriggs

SYSMON CMD detection rule detecting Windows Defender execution on MpCmdRun.exe

3

https://github.com/beave/sagan-rules/blob/6f87a80f7a1662e6fd90bc75f891c1c0637c6e7e/windows-sysmon.rules#L86 Seems to detect 1: Process Create: RuleName: UtcTime: 2019-01-08 03:18:51.728 ProcessGuid: {872FCC10-169B-5C34-0000-001066122B00} ProcessId: 6716 Image: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1812.3-0\MpCmdRun.exe FileVersion: 4.18.1812.3 (GitEnlistment(winpbld).181121-1313) Description: Microsoft Malware Protection Command Line Utility Product: Microsoft?...