Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Sigma rule (View on GitHub)
1title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
2id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
3status: test
4description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
5references:
6 - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-05
9modified: 2023-02-08
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: registry_delete
15 product: windows
16detection:
17 selection:
18 EventType: DeleteValue
19 TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
20 condition: selection
21falsepositives:
22 - Legitimate administrators removing applications (should always be investigated)
23level: high
References
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility