Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Sigma rule (View on GitHub)
1title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
2id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
3status: test
4description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
5references:
6 - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/05
9modified: 2023/02/08
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: registry_delete
15 product: windows
16detection:
17 selection:
18 EventType: DeleteValue
19 TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
20 condition: selection
21falsepositives:
22 - Legitimate administrators removing applications (should always be investigated)
23level: high
References
Related rules
- PUA - CleanWipe Execution
- Service StartupType Change Via PowerShell Set-Service
- Service StartupType Change Via Sc.EXE
- Windows Defender Configuration Changes
- Windows Defender Exclusions Added