Windows Defender Exclusion Registry Key - Write Access Requested

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

Sigma rule (View on GitHub)

 1title: Windows Defender Exclusion Registry Key - Write Access Requested
 2id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
 3related:
 4    - id: 46a68649-f218-4f86-aea1-16a759d81820
 5      type: derived
 6    - id: a33f8808-2812-4373-ae95-8cfb82134978
 7      type: derived
 8status: test
 9description: |
10        Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
11references:
12    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
13author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'
14date: 2019-10-26
15modified: 2023-11-11
16tags:
17    - attack.defense-evasion
18    - attack.t1562.001
19logsource:
20    product: windows
21    service: security
22    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
23detection:
24    selection:
25        AccessList|contains:
26            - '%%4417' # WriteData
27            - '%%4418' # AppendData
28        EventID:
29            - 4656 # A handle to an object was requested.
30            - 4663 # An attempt was made to access an object.
31        ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
32    condition: selection
33falsepositives:
34    - Unknown
35level: medium

References

Related rules

to-top