Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Aug 05Updated Tue Dec 06a3ab73f1-bd46-4319-8f06-4b20d0617886windows
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic3 selectors
detection:
    allowed_apps_key:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
    allowed_apps_path:
        NewValue|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Windows\Temp\'
    protected_folders:
        EventID: 5007 # The antimalware platform configuration changed.
        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
        OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
    condition: all of allowed_apps* or protected_folders
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
techcommunity.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
a3ab73f1-bd46-4319-8f06-4b20d0617886
Status
test
Level
high
Type
Detection
Created
Fri Aug 05
Modified
Tue Dec 06
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub