sigmaDRL-1.1from SigmaHQ/sigma
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Quality
84
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
status: test
description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-08-17
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
selection_paths:
TargetObject|contains:
# Add more paths you don't allow in your org
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\PerfLogs\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high