Use the below query to detect Windows Defender exclusion changes.
// T1562.001 - Impair Defenses: Disable or Modify Tools
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey startswith 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions' // T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Alerts
AlertInfo
| where Title == "Suspicious Microsoft Defender Antivirus exclusion"
| join AlertEvidence on $left. AlertId == $right.AlertId
| project-reorder Timestamp, AlertId, DetectionSource, EntityType, EvidenceRole, FileName, FolderPath, RegistryKey, RegistryValueName, RegistryValueDataThis query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | v | https://attack.mitre.org/techniques/T1562/001/ |
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
Contributor: Alex Verboon
nice query:
you can add this to include ASC Exlusions
| where RegistryKey startswith ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions") or RegistryKey startswith ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions")