detection.wiki

Detection rules › Sigma

Windows Defender Exclusion Registry Key - Write Access Requested

Severity
medium
Author
@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1562.001 Impair Defenses: Disable or Modify Tools

Event coverage

ProviderEvent IDTitle
Security-Auditing4656A handle to an object was requested.
Security-Auditing4663An attempt was made to access an object.

Stages and Predicates

Stage 1: selection

or:
AccessList|contains: '%%4417'
AccessList|contains: '%%4418'
ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
AccessListmatch
  • %%4417 corpus 3 (sigma 3)
  • %%4418
ObjectNamematch
  • \Microsoft\Windows Defender\Exclusions\ corpus 2 (sigma 2)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Share event IDs (chain-detection candidates)

Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.