Windows Defender Exclusions Added - Registry
Detects the Setting of Windows Defender Exclusions
Sigma rule (View on GitHub)
1title: Windows Defender Exclusions Added - Registry
2id: a982fc9c-6333-4ffb-a51d-addb04e8b529
3related:
4 - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
5 type: derived
6status: test
7description: Detects the Setting of Windows Defender Exclusions
8references:
9 - https://twitter.com/_nullbind/status/1204923340810543109
10author: Christian Burkard (Nextron Systems)
11date: 2021/07/06
12modified: 2023/08/17
13tags:
14 - attack.defense_evasion
15 - attack.t1562.001
16logsource:
17 product: windows
18 category: registry_set
19detection:
20 selection2:
21 TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
22 condition: selection2
23falsepositives:
24 - Administrator actions
25level: medium
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Tamper Protection on Windows Defender
- Disable Windows Defender Functionalities Via Registry Keys