Detectionmediumstable

Windows Defender Exclusions Added

Detects the Setting of Windows Defender Exclusions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christian Burkard (Nextron Systems)Created Tue Jul 06Updated Tue Dec 061321dc4e-a1fe-481d-a016-52c45f0c8b4fwindows

Log Source

Windowswindefend

ProductWindows← raw: windows

Servicewindefend← raw: windefend

Detection Logic

detection:
    selection:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Microsoft\Windows Defender\Exclusions'
    condition: selection

False Positives

Administrator actions

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

1321dc4e-a1fe-481d-a016-52c45f0c8b4f

Status

stable

Level

medium

Type

Detection

Created

Tue Jul 06

Modified

Tue Dec 06

Author

Christian Burkard (Nextron Systems)

Path

rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub