Detection rules › Kusto Query Language

MosaicLoader

Source: upstream

This query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562` Impair Defenses

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)
Security-Auditing	4657	A registry value was modified.
Defender-DeviceRegistryEvents	9005003	Registry value set

Stages and Predicates

Stage 1: `source`

DeviceRegistryEvents

Stage 2: `where`

and
  or
    RegistryKey starts_with "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions"
    RegistryKey starts_with "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes"
    RegistryKey starts_with "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths"
  ActionType eq "RegistryValueSet"

Stage 3: `extend`

Stage 4: `extend`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ActionType`	eq	`RegistryValueSet`
`RegistryKey`	starts_with	`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions` `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes` `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths`

MosaicLoader

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: extend

Stage 4: extend

Indicators

Stage 1: `source`

Stage 2: `where`

Stage 3: `extend`

Stage 4: `extend`