sigmahighHunting

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

MITRE ATT&CK

T1562.001

defense-evasion

Detection Query

selection:
  EventType: DeleteValue
  TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender
    Exploit Guard\Controlled Folder Access\ProtectedFolders
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-05

Data Sources

windowsRegistry Delete Events

Platforms

windows

References

https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

Tags

attack.defense-evasionattack.t1562.001

Raw Content

title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: registry_delete
    product: windows
detection:
    selection:
        EventType: DeleteValue
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
    condition: selection
falsepositives:
    - Legitimate administrators removing applications (should always be investigated)
level: high