Detects applications being added to the “allowed applications” list of exploit guard in order to bypass controlled folder settings
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
status: test
description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
selection_paths:
TargetObject|contains:
# Add more paths you don't allow in your org
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\PerfLogs\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imRegistry
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey endswith "\\Users\\Public*" or RegistryKey endswith "\\AppData\\Local\\Temp*" or RegistryKey endswith "\\Desktop*" or RegistryKey endswith "\\PerfLogs*" or RegistryKey endswith "\\Windows\\Temp*")DeviceRegistryEvents
| where RegistryKey contains "SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications" and (RegistryKey endswith "\\Users\\Public*" or RegistryKey endswith "\\AppData\\Local\\Temp*" or RegistryKey endswith "\\Desktop*" or RegistryKey endswith "\\PerfLogs*" or RegistryKey endswith "\\Windows\\Temp*")| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |