Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Sigma rule (View on GitHub)
1title: Suspicious Application Allowed Through Exploit Guard
2id: 42205c73-75c8-4a63-9db1-e3782e06fda0
3status: experimental
4description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
5references:
6 - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/05
9modified: 2023/08/17
10tags:
11 - attack.defense_evasion
12 - attack.t1562.001
13logsource:
14 category: registry_set
15 product: windows
16detection:
17 selection_key:
18 TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
19 selection_paths:
20 TargetObject|contains:
21 # Add more paths you don't allow in your org
22 - '\Users\Public\'
23 - '\AppData\Local\Temp\'
24 - '\Desktop\'
25 - '\PerfLogs\'
26 - '\Windows\Temp\'
27 condition: all of selection_*
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- Disable Exploit Guard Network Protection on Windows Defender
- Disable PUA Protection on Windows Defender
- Disable Privacy Settings Experience in Registry
- Disable Tamper Protection on Windows Defender
- Disable Windows Defender Functionalities Via Registry Keys