Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Sigma rule (View on GitHub)
1title: Windows Defender Exploit Guard Tamper
2id: a3ab73f1-bd46-4319-8f06-4b20d0617886
3status: test
4description: |
5 Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
6references:
7 - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022-08-05
10modified: 2022-12-06
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 product: windows
16 service: windefend
17detection:
18 allowed_apps_key:
19 EventID: 5007 # The antimalware platform configuration changed.
20 NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
21 allowed_apps_path:
22 NewValue|contains:
23 # Add more paths you don't allow in your org
24 - '\Users\Public\'
25 - '\AppData\Local\Temp\'
26 - '\Desktop\'
27 - '\PerfLogs\'
28 - '\Windows\Temp\'
29 protected_folders:
30 EventID: 5007 # The antimalware platform configuration changed.
31 # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
32 OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
33 condition: all of allowed_apps* or protected_folders
34falsepositives:
35 - Unlikely
36level: high
References
-
Windows Defender Guard Events searched by Windows Event Viewer and by Microsoft 365 Security Advanced Hunting.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility