Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
T1562.001 - Defender Exclusions modification

T1562.001 - Defender Exclusions modification

Use the below query to detect Windows Defender exclusion changes.


Query

// T1562.001 - Impair Defenses: Disable or Modify Tools
DeviceRegistryEvents 
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions' 
// T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Alerts
AlertInfo
| where Title == "Suspicious Microsoft Defender Antivirus exclusion"
| join  AlertEvidence on $left. AlertId ==  $right.AlertId
| project-reorder Timestamp, AlertId, DetectionSource, EntityType, EvidenceRole, FileName, FolderPath, RegistryKey, RegistryValueName, RegistryValueData

Category

This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.

Technique, tactic, or state Covered? (v=yes) Notes
Initial access
Execution
Persistence
Privilege escalation
Defense evasion v https://attack.mitre.org/techniques/T1562/001/
Credential Access
Discovery
Lateral movement
Collection
Command and control
Exfiltration
Impact
Vulnerability
Misconfiguration
Malware, component

See also

Contributor info

Contributor: Alex Verboon

@crtvrffnrt
Copy link

crtvrffnrt commented Jul 24, 2021

nice query:

you can add this to include ASC Exlusions
| where RegistryKey startswith ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions") or RegistryKey startswith ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions")

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment