Detects the removal of folders from the “ProtectedFolders” list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the p
title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
EventType: DeleteValue
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
condition: selection
falsepositives:
- Legitimate administrators removing applications (should always be investigated)
level: high
imRegistry
| where EventType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders"DeviceRegistryEvents
| where ActionType =~ "DeleteValue" and RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |