Attackers may modify the Windows Defender exclusion list to evade detection by excluding malicious files or processes from scanning, indicating potential malware persistence or execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats that attempt to bypass endpoint protection mechanisms.
Detection Rule
title: Windows Defender Exclusion List Modified
id: 46a68649-f218-4f86-aea1-16a759d81820
related:
- id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d
type: derived
- id: a33f8808-2812-4373-ae95-8cfb82134978
type: derived
status: test
description: |
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
references:
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
author: '@BarryShooshooga'
date: 2019-10-26
modified: 2023-11-11
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'
detection:
selection:
EventID: 4657 # A registry value was modified.
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'
condition: selection
falsepositives:
- Intended exclusions by administrators
level: medium
imRegistry
| where RegistryKey endswith "\\Microsoft\\Windows Defender\\Exclusions*"Scenario: Legitimate System Update or Patching Process
Description: A system update or patching process may modify the Windows Defender exclusion list as part of its installation or configuration.
Filter/Exclusion: Check for modifications occurring during known patching windows (e.g., via SCCM, WSUS, or Microsoft Update) or within the context of a scheduled task like Microsoft AntiSpyware or Windows Defender Scheduled Scan.
Scenario: Manual Exclusion via Group Policy or Local Policy
Description: An administrator may manually add exclusions through Group Policy or the Local Group Policy Editor to exclude specific paths or files from scanning.
Filter/Exclusion: Filter events where the modification is initiated by a user with administrative privileges and occurs within the context of a known administrative task (e.g., gpedit.msc, secpol.msc, or via gpupdate /force).
Scenario: Scheduled Job Adding Exclusions for Compliance
Description: A scheduled job (e.g., using Task Scheduler) may add exclusions to meet compliance or operational requirements, such as excluding a specific log directory or temporary folder.
Filter/Exclusion: Filter events where the modification is performed by a scheduled task with a known name (e.g., ComplianceExclusionJob) or within a specific time window aligned with compliance checks.
Scenario: Third-Party Application Adding Exclusions
Description: A legitimate third-party application (e.g., SQL Server, Visual Studio, or a backup tool) may add exclusions to Windows Defender to prevent interference with its operations.
Filter/Exclusion: Filter events where the modification is initiated by a known application (e.g., sqlservr.exe, devenv.exe, or vssvc.exe) or within the context of its installation or configuration process.
**Scenario: User-