Skip to content

[Rule Tuning] Potential RemoteMonologue Attack - alerts about MS Defender #4942

New issue
New issue
Closed
#4967
Closed
[Rule Tuning] Potential RemoteMonologue Attack - alerts about MS Defender#4942
#4967
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on Jul 30, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_regmod_remotemonologue.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Rule "Potential RemoteMonologue Attack" frequently alerts about MS Defender activities.

Potentially useful values:

process.executable C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25060.7-0\MsMpEng.exe
registry.key SOFTWARE\Classes\AppID{1111A26D-EF95-4A45-9F55-21E52ADF9887}
registry.path HKLM\SOFTWARE\Classes\AppID{1111A26D-EF95-4A45-9F55-21E52ADF9887}\RunAs

process.Ext.code_signature.exists true
process.Ext.code_signature.status trusted
process.Ext.code_signature.subject_name Microsoft Windows Publisher
process.Ext.code_signature.trusted true
process.code_signature.exists true
process.code_signature.status trusted
process.code_signature.subject_name Microsoft Windows Publisher
process.code_signature.trusted true

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions