Windows Defender Exclusions Added - Registry

Hunt Hypothesis

Detects the Setting of Windows Defender Exclusions

Detection Rule

Sigma (Original)

title: Windows Defender Exclusions Added - Registry
id: a982fc9c-6333-4ffb-a51d-addb04e8b529
related:
    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
      type: derived
status: test
description: Detects the Setting of Windows Defender Exclusions
references:
    - https://twitter.com/_nullbind/status/1204923340810543109
author: Christian Burkard (Nextron Systems)
date: 2021-07-06
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection2:
        TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
    condition: selection2
falsepositives:
    - Administrator actions
level: medium

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey contains "\\Microsoft\\Windows Defender\\Exclusions"

Required Data Sources

False Positive Guidance

• Administrator actions

MITRE ATT&CK Context

• Technique: T1685 — T1685

References

• https://twitter.com/_nullbind/status/1204923340810543109
• SigmaHQ Rule