Nasreddine Bencherchali
36 lines
1.5 KiB
YAML
36 lines
1.5 KiB
YAML
title: Windows Defender Exploit Guard Tamper
|
|
id: a3ab73f1-bd46-4319-8f06-4b20d0617886
|
|
status: experimental
|
|
description: Detects when someone is adding or removing applications or folder from exploit guard "ProtectedFolders" and "AllowedApplications"
|
|
references:
|
|
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/08/05
|
|
modified: 2022/12/06
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.t1562.001
|
|
logsource:
|
|
product: windows
|
|
service: windefend
|
|
detection:
|
|
allowed_apps_key:
|
|
EventID: 5007 # The antimalware platform configuration changed.
|
|
NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
|
|
allowed_apps_path:
|
|
NewValue|contains:
|
|
# Add more paths you don't allow in your org
|
|
- '\Users\Public\'
|
|
- '\AppData\Local\Temp\'
|
|
- '\Desktop\'
|
|
- '\PerfLogs\'
|
|
- '\Windows\Temp\'
|
|
protected_folders:
|
|
EventID: 5007 # The antimalware platform configuration changed.
|
|
# This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
|
|
OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
|
|
condition: all of allowed_apps* or protected_folders
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|