Forked from frcolumba/gist:5a2518684ed4e2b18a386fa3647d5629
Created
October 6, 2021 13:39
-
-
Save m0zgen/c10b92090c6365d7a1687e1a29cbe5c1 to your computer and use it in GitHub Desktop.
Windows Defender ASR in OSSEC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you don't have an E5 subscription, run 1709 in your environment, and use OSSEC, you can quickly add the new ASR features | |
| to your alerting and reports since you don't have access to the Defender console thingy. | |
| The event reference is here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events | |
| All your need to do is add: | |
| <localfile> | |
| <location>Microsoft-Windows-Windows Defender/Operational</location> | |
| <log_format>eventchannel</log_format> | |
| </localfile> | |
| To your ossec.conf (and really you should create a subscription for these events in a WEF collector) | |
| Make sure your ossec understands informational events (in my case I'm using sid 18101) and then use these rules in your | |
| local_rules.xml | |
| <rule id="182684" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1123</id> | |
| <description>Defender - Controlled Folder Access Block</description> | |
| </rule> | |
| <rule id="182685" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1124</id> | |
| <description>Defender - Controlled Folder Access Audit</description> | |
| </rule> | |
| <rule id="182686" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1122</id> | |
| <description>Defender - ASR Audit</description> | |
| </rule> | |
| <rule id="182687" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1121</id> | |
| <description>Defender - ASR Block</description> | |
| </rule> | |
| <rule id="182688" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1126</id> | |
| <description>Defender - Network Protection Block</description> | |
| </rule> | |
| <rule id="182689" level="12"> | |
| <if_sid>18101</if_sid> | |
| <id>^1125</id> | |
| <description>Defender - Network Protection Audit</description> | |
| </rule> | |
| This is a test event you can use to debug using ossec-logtest for 1122 | |
| 2018 Feb 06 14:40:36 WinEvtLog: Microsoft-Windows-Windows Defender/Operational: Informational(1122): Microsoft-Windows-Windows Defender: AUser: MY-DOMAIN: it-auser.my-domain.whatever: Windows Defender Antivirus audited an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Detection time: 2018-02-06T19:41:08.137Z User: MY-DOMAIN\AUser | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment