Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Sigma rule (View on GitHub)
1title: Windows Defender Exclusion List Modified
2id: 46a68649-f218-4f86-aea1-16a759d81820
3related:
4 - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
5 type: derived
6 - id: a33f8808-2812-4373-ae95-8cfb82134978
7 type: derived
8status: test
9description: |
10 Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
11references:
12 - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
13author: '@BarryShooshooga'
14date: 2019-10-26
15modified: 2023-11-11
16tags:
17 - attack.defense-evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: security
22 definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
23detection:
24 selection:
25 EventID: 4657 # A registry value was modified.
26 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
27 condition: selection
28falsepositives:
29 - Intended exclusions by administrators
30level: medium
References
-
As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility