Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Sigma rule (View on GitHub)
1title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
2id: 48917adc-a28e-4f5d-b729-11e75da8941f
3status: test
4description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
5references:
6 - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
7 - https://redcanary.com/threat-detection-report/threats/qbot/
8author: frack113
9date: 2022/02/13
10modified: 2023/02/04
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\reg.exe'
20 CommandLine|contains:
21 - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
22 - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
23 CommandLine|contains|all:
24 - 'ADD '
25 - '/t '
26 - 'REG_DWORD '
27 - '/v '
28 - '/d '
29 - '0'
30 condition: selection
31falsepositives:
32 - Legitimate use
33level: medium
References
-
In this case, from October 2021, we will break down how Qbot quickly spread across all workstations in an environment while stealing browser information and emails.
Read More -
Qbot is a banking trojan with the ability to quickly spread to other hosts within an environment and is a delivery agent for ransomware.
Read More
Related rules
- HackTool - PowerTool Execution
- Powershell Base64 Encoded MpPreference Cmdlet
- SafeBoot Registry Key Deleted Via Reg.EXE
- Service Registry Key Deleted Via Reg.EXE
- Load Of RstrtMgr.DLL By A Suspicious Process