Windows Defender Exploit Guard Tamper

Severity: high
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.001` Impair Defenses: Disable or Modify Tools

Event coverage

Provider	Event ID	Title
Windows-Defender	5007

Stages and Predicates

Stage 1: `all of allowed_apps_key`

NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'

Stage 2: `all of allowed_apps_path`

or:
NewValue|contains: '\AppData\Local\Temp\'
NewValue|contains: '\Desktop\'
NewValue|contains: '\PerfLogs\'
NewValue|contains: '\Users\Public\'
NewValue|contains: '\Windows\Temp\'

Stage 3: `protected_folders`

OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`NewValue`	match	`\AppData\Local\Temp\` corpus 9 (sigma 9) `\Desktop\` corpus 3 (sigma 3) `\PerfLogs\` corpus 2 (sigma 2) `\Users\Public\` corpus 5 (sigma 5) `\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\` `\Windows\Temp\` corpus 4 (sigma 4)
`OldValue`	match	`\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\`