Update 2024-01-30-procmon.md

BenjiTrapp · Feb 4, 2024 · e8921f5 · e8921f5
1 parent 56be724
commit e8921f5
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/_attacks/2024-01-30-procmon.md b/_attacks/2024-01-30-procmon.md
@@ -186,9 +186,11 @@ def monitor_process_start(process_name):
     threading.Thread(target=check_process).start()
 
 defender_tool_processes = {
-    "Microsoft Defender": ["MsMpEng.exe", "MsSense.exe", "Sense.IR.exe", "SenseNdr.exe", "SenseCncProxy.exe", "SenseSampleUploader.exe"],
+    "Microsoft Defender": ["MsMpEng.exe", "MsSense.exe", "SenseIR.exe", "SenseNdr.exe", "SenseCncProxy.exe", "SenseSampleUploader.exe", "SenseSC.exe", "SenseCE.exe", "SenseCM.exe"],
+    "Microsoft Smart Scren": ["smartscreen.exe"],
     "Carbon Black (Cloud)": ["cb.exe", "RepMgr", "RepUtils", "RepUx", "RepWAV", "RepWSC"],
-    "Crowd Strike EDR": ["csagent", "falconctl", "falconhost", "falcon-sensor",],
+    "BitdDefender": ["bdagent.exe", "bdredline.exe", "bdreinit.exe", "bdsubwiz.exe", "bdwtxag"],
+    "Crowd Strike EDR": ["csagent", "falconctl", "falconhost", "falcon-sensor", "CSFalconService.exe", "CSFalconContainer.exe", "CSFalconUI.exe", "CSFalconUpdate.exe", "CSFalconSensorService.exe", "CSFalconSensor"],
     "Elastic EDR": ["winlogbeat.exe", "elastic-agent", "elastic-endpoint", "filebeat"],
     "Trellix EDR": ["xagt.exe"],
     "Qualys EDR": ["qagent", "QualysSensor.exe", "QualysAgent"],
@@ -205,8 +207,13 @@ defender_tool_processes = {
     "ESET Inspect": ["EIConnector", "ekrn"],
     "FireEye Endpoint Security": ["FireEyeAgent", "FireEyeHXAgent"],
     "TrendMicro Apex One": ["CETASvc.exe", "WSCommunicator.exe", "EndpointBasecamp.exe", "TmListen.exe",
-                            "Ntrtscan.exe", "TmWSCSvc.exe", "PccNTMon.exe", "TMBMSRV.exe", "CNTAoSMgr.exe", "TmCCSF.exe"],
-    "Splunk Agent": ["splunkd"]
+                            "Ntrtscan.exe", "TmWSCSvc.exe", "PccNTMon.exe", "TMBMSRV.exe", "CNTAoSMgr.exe", "TmCCSF.exe"
+                            "Deep Security Manager.exe", "coreServiceShell.exe", "ds_monitor.exe", "Notifier.exe", "dsa.exe", "ds_nuagent.exe"  ],
+    "Splunk Agent": ["splunkd"],
+    "Sysmon": ["sysmon64.exe", "sysmon.exe"],
+    "Rapid 7": ["R7Agent", "R7Agent64", "R7AgentService", "R7AgentService64", "R7AgentTray", "R7AgentTray64"],
+    "Rapid 7 Insight Agent": ["ir_agent.exe", "insight-agent", "insight-agentd", "insight-agentd64", "insight-agent64"],
+    "Rapid 7 Collector": ["collector.exe", "insight-collector", "insight-collectord", "insight-collectord64", "insight-collector64"],
 }
 
 def monitor_dict_process_start(process_dict):