Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Sigma rule (View on GitHub)
1title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
2id: 48917adc-a28e-4f5d-b729-11e75da8941f
3status: test
4description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
5references:
6 - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
7 - https://redcanary.com/threat-detection-report/threats/qbot/
8author: frack113
9date: 2022/02/13
10modified: 2023/02/04
11tags:
12 - attack.defense_evasion
13 - attack.t1562.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\reg.exe'
20 CommandLine|contains:
21 - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
22 - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
23 CommandLine|contains|all:
24 - 'ADD '
25 - '/t '
26 - 'REG_DWORD '
27 - '/v '
28 - '/d '
29 - '0'
30 condition: selection
31falsepositives:
32 - Legitimate use
33level: medium
References
-
Qbot (aka QakBot, Quakbot, Pinkslipbot ) has been around for a long time having first been observed back in 2007. More info on Qbot can be found at the following links: Microsoft & Red Canary I…
Read More -
Qbot is a banking trojan with the ability to quickly spread to other hosts within an environment and is a delivery agent for ransomware.
Read More
Related rules
- HackTool - PowerTool Execution
- SafeBoot Registry Key Deleted Via Reg.EXE
- Service Registry Key Deleted Via Reg.EXE
- Load Of RstrtMgr.DLL By A Suspicious Process
- Load Of RstrtMgr.DLL By An Uncommon Process