Detectionmediumtest

Windows Defender Exclusion List Modified

Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@barryshooshoogaCreated Sat Oct 26Updated Sat Nov 1146a68649-f218-4f86-aea1-16a759d81820windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User

Detection Logic

detection:
    selection:
        EventID: 4657 # A registry value was modified.
        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
    condition: selection

False Positives

Intended exclusions by administrators

References

Resolving title…

bleepingcomputer.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Related Rules

DerivedDetectionmedium

Windows Defender Exclusion Registry Key - Write Access Requested

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

This rule was derived from the related rule - both detect similar activity with different scope.

Derived

a33f8808-2812-4373-ae95-8cfb82134978

Rule not found

Rule Metadata

Rule ID

46a68649-f218-4f86-aea1-16a759d81820

Status

test

Level

medium

Type

Detection

Created

Sat Oct 26

Modified

Sat Nov 11

Author

@barryshooshooga

Path

rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub