detection.wiki

Detection rules › Sigma

Win Defender Restored Quarantine File

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects the restoration of files from the defender quarantine

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Windows-Defender1009

Stages and Predicates

Stage 1: selection