Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User
detection:
selection:
AccessList|contains:
- '%%4417' # WriteData
- '%%4418' # AppendData
EventID:
- 4656 # A handle to an object was requested.
- 4663 # An attempt was made to access an object.
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Sub-techniques
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
This rule was derived from the related rule - both detect similar activity with different scope.
a33f8808-2812-4373-ae95-8cfb82134978