Detectionhightest
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 05Updated Wed Feb 08272e55a4-9e6b-4211-acb6-78f51f0b1b40windows
Log Source
WindowsRegistry Delete
ProductWindows← raw: windows
CategoryRegistry Delete← raw: registry_delete
Detection Logic
Detection Logic1 selector
detection:
selection:
EventType: DeleteValue
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
condition: selectionFalse Positives
Legitimate administrators removing applications (should always be investigated)
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
272e55a4-9e6b-4211-acb6-78f51f0b1b40
Status
test
Level
high
Type
Detection
Created
Fri Aug 05
Modified
Wed Feb 08
Path
rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml
Raw Tags
attack.defense-evasionattack.t1562.001