Arbitrary File Download Via ConfigSecurityPolicy.EXE (1f0f6176-6482-4027-b151-00071af39d7e)
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Arbitrary File Download Via ConfigSecurityPolicy.EXE (1f0f6176-6482-4027-b151-00071af39d7e) | Sigma-Rules | Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) | Attack Pattern | 1 |