Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

w0rk3r · Samirbous · web-flow · commit 056e631177fd · 2025-08-28T07:39:39.000-07:00
Co-authored-by: Samirbous &lt;64742097+Samirbous@users.noreply.github.com&gt;
diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml
@@ -112,10 +112,10 @@ registry where host.os.type == "windows" and event.type == "change" and process.
     "?:\\Windows\\CCM\\CcmExec.exe", 
     "?:\\Windows\\System32\\DeviceEnroller.exe", 
     "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe",
-    "\\Device\\HarddiskVolume?\\Windows\\system32\\svchost.exe", 
-    "\\Device\\HarddiskVolume?\\Windows\\CCM\\CcmExec.exe", 
-    "\\Device\\HarddiskVolume?\\Windows\\System32\\DeviceEnroller.exe", 
-    "\\Device\\HarddiskVolume?\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe"
+    "\\Device\\HarddiskVolume*\\Windows\\system32\\svchost.exe", 
+    "\\Device\\HarddiskVolume*\\Windows\\CCM\\CcmExec.exe", 
+    "\\Device\\HarddiskVolume*\\Windows\\System32\\DeviceEnroller.exe", 
+    "\\Device\\HarddiskVolume*\\Program Files (x86)\\Trend Micro\\Security Agent\\tmuninst.exe"
   )
 
 /*
