detection.wiki

Detection rules › Sigma

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

Severity
medium
Author
frack113
Source
upstream

Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection

or:
CommandLine|contains: 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains: 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
CommandLine|contains: '/d '
CommandLine|contains: '/t '
CommandLine|contains: '/v '
CommandLine|contains: 0
CommandLine|contains: 'ADD '
CommandLine|contains: 'REG_DWORD '
Image|endswith: '\reg.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /d corpus 2 (sigma 2)
  • /t corpus 2 (sigma 2)
  • /v corpus 2 (sigma 2)
  • 0 corpus 4 (sigma 4)
  • ADD
  • REG_DWORD
  • SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
  • SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Imageends_with
  • \reg.exe corpus 46 (sigma 46)