Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Sigma rule (View on GitHub)
1title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
2id: 48917adc-a28e-4f5d-b729-11e75da8941f
3status: test
4description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
5references:
6 - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
7 - https://redcanary.com/threat-detection-report/threats/qbot/
8author: frack113
9date: 2022-02-13
10modified: 2023-02-04
11tags:
12 - attack.defense-evasion
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\reg.exe'
20 CommandLine|contains:
21 - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
22 - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
23 CommandLine|contains|all:
24 - 'ADD '
25 - '/t '
26 - 'REG_DWORD '
27 - '/v '
28 - '/d '
29 - '0'
30 condition: selection
31falsepositives:
32 - Legitimate use
33level: medium
References
-
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary I…
Read More -
Qbot is a banking trojan with the ability to quickly spread to other hosts within an environment and is a delivery agent for ransomware.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility