LoFP / legitimate administrator activity restoring a file

Techniques

• t1562
• t1562.001

Sample rules

Win Defender Restored Quarantine File

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects the restoration of files from the defender quarantine

Detection logic

condition: selection
selection:
  EventID: 1009