Detectionmediumtest

Disable Exploit Guard Network Protection on Windows Defender

Detects disabling Windows Defender Exploit Guard Network Protection

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Wed Aug 04Updated Thu Aug 17bf9e1387-b040-4393-9851-1598f8ecfae9windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
        Details: 'DWORD (00000001)'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

tenforums.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

bf9e1387-b040-4393-9851-1598f8ecfae9

Status

test

Level

medium

Type

Detection

Created

Wed Aug 04

Modified

Thu Aug 17

Author

Austin Songer

Path

rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub