Suspicious Application Allowed Through Exploit Guard

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Sigma rule (View on GitHub)

 1title: Suspicious Application Allowed Through Exploit Guard
 2id: 42205c73-75c8-4a63-9db1-e3782e06fda0
 3status: test
 4description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
 5references:
 6    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/08/05
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection_key:
18        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
19    selection_paths:
20        TargetObject|contains:
21            # Add more paths you don't allow in your org
22            - '\Users\Public\'
23            - '\AppData\Local\Temp\'
24            - '\Desktop\'
25            - '\PerfLogs\'
26            - '\Windows\Temp\'
27    condition: all of selection_*
28falsepositives:
29    - Unlikely
30level: high

References

Related rules

to-top