Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

calendar Apr 28, 2026 · attack.defense-impairment attack.t1685  ·
Share on: linkedin copy

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

Sigma rule (View on GitHub)

 1title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
 2id: 48917adc-a28e-4f5d-b729-11e75da8941f
 3status: test
 4description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
 5references:
 6    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
 7    - https://redcanary.com/threat-detection-report/threats/qbot/
 8author: frack113
 9date: 2022-02-13
10modified: 2023-02-04
11tags:
12    - attack.defense-impairment
13    - attack.t1685
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\reg.exe'
20        CommandLine|contains:
21            - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
22            - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
23        CommandLine|contains|all:
24            - 'ADD '
25            - '/t '
26            - 'REG_DWORD '
27            - '/v '
28            - '/d '
29            - '0'
30    condition: selection
31falsepositives:
32    - Legitimate use
33level: medium

References

Related rules

to-top