Techniques
Sample rules
Folder Removed From Exploit Guard ProtectedFolders List - Registry
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the removal of folders from the “ProtectedFolders” list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Detection logic
condition: selection
selection:
EventType: DeleteValue
TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit
Guard\Controlled Folder Access\ProtectedFolders