Techniques
Sample rules
Windows Defender Exclusion List Modified
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Detection logic
condition: selection
selection:
EventID: 4657
ObjectName|contains: \Microsoft\Windows Defender\Exclusions\