Windows Defender Exclusion Deleted
Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
Sigma rule (View on GitHub)
1title: Windows Defender Exclusion Deleted
2id: a33f8808-2812-4373-ae95-8cfb82134978
3related:
4 - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
5 type: derived
6 - id: 46a68649-f218-4f86-aea1-16a759d81820
7 type: derived
8status: test
9description: |
10 Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
11references:
12 - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
13author: '@BarryShooshooga'
14date: 2019-10-26
15modified: 2023-11-11
16tags:
17 - attack.defense-evasion
18 - attack.t1562.001
19logsource:
20 product: windows
21 service: security
22 definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
23detection:
24 selection:
25 EventID: 4660 # An object was deleted.
26 ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
-
As Windows Defender matures and becomes tightly integrated into Windows 10, malware writers are creating techniques to evade its detection. Such is the case with the GootKit banking Trojan, which use a UAC bypass and WMIC commands to exclude the malware executable from being scanned by Windows Defender Antivirus.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility