Merge pull request #21265 from MicrosoftDocs/repo_sync_working_branch

American-Dipper · web-flow · commit 834ae485f49e · 2023-07-03T08:42:54.000-07:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/microsoft-365-docs (branch public)
diff --git a/microsoft-365/security/defender-endpoint/tamper-resiliency.md b/microsoft-365/security/defender-endpoint/tamper-resiliency.md
@@ -7,7 +7,7 @@ manager: dansimp
 ms.reviewer: joshbregman
 ms.service: microsoft-365-security
 ms.subservice: mde
-ms.date: 06/01/2023
+ms.date: 07/04/2023
 ms.topic: overview
 ms.collection: 
 - tier1
@@ -104,11 +104,29 @@ Attackers can be preventing from discovering existing antivirus exclusions by en
 
 When tampering is detected, an alert is raised. Some of the alert titles for tampering are:
 
+- Attempt to bypass Microsoft Defender for Endpoint client protection
+- Attempt to stop Microsoft Defender for Endpoint sensor
+- Attempt to tamper with Microsoft Defender on multiple devices
+- Attempt to turn off Microsoft Defender Antivirus protection
+- Defender detection bypass
+- Driver-based tampering attempt blocked
+- Image file execution options set for tampering purposes
+- Microsoft Defender Antivirus protection turned off
+- Microsoft Defender Antivirus tampering
+- Modification attempt in Microsoft Defender Antivirus exclusion list
+- Pending file operations mechanism abused for tampering purposes
 - Possible Antimalware Scan Interface (AMSI) tampering
+- Possible remote tampering
+- Possible sensor tampering in memory
 - Potential attempt to tamper with MDE via drivers
+- Security software tampering
+- Suspicious Microsoft Defender Antivirus exclusion
 - Tamper protection bypass
+- Tampering activity typical to ransomware attacks
+- Tampering with Microsoft Defender for Endpoint sensor communication
+- Tampering with Microsoft Defender for Endpoint sensor settings 
 - Tampering with the Microsoft Defender for Endpoint sensor
-- Possible tampering with protected processes
+
 
 If the [Block abuse of exploited vulnerable signed drivers](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) attack surface reduction (ASR) rule is triggered, the event is viewable in the [ASR Report](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report) and in [Advanced Hunting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize#asr-rules-advanced-hunting)
 
