Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
Sigma rule (View on GitHub)
1title: Windows Defender Exclusion Registry Key - Write Access Requested
2id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
3related:
4 - id: 46a68649-f218-4f86-aea1-16a759d81820
5 type: derived
6 - id: a33f8808-2812-4373-ae95-8cfb82134978
7 type: derived
8status: test
9description: |
10 Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
11references:
12 - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
13author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'
14date: 2019-10-26
15modified: 2023-11-11
16tags:
17 - attack.defense-evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: security
22 definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
23detection:
24 selection:
25 AccessList|contains:
26 - '%%4417' # WriteData
27 - '%%4418' # AppendData
28 EventID:
29 - 4656 # A handle to an object was requested.
30 - 4663 # An attempt was made to access an object.
31 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
32 condition: selection
33falsepositives:
34 - Unknown
35level: medium
References
Related rules
- Windows Defender Real-time Protection Disabled
- IISReset Used to Stop IIS Services
- Dism Remove Online Package
- Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
- Obfuscated PowerShell OneLiner Execution