← Back to Explore
sigmahighHunting
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Detection Query
selection_key:
TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender
Exploit Guard\Controlled Folder Access\AllowedApplications
selection_paths:
TargetObject|contains:
- \Users\Public\
- \AppData\Local\Temp\
- \Desktop\
- \PerfLogs\
- \Windows\Temp\
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-08-05
Data Sources
windowsRegistry Set Events
Platforms
windows
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
status: test
description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-08-17
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
selection_paths:
TargetObject|contains:
# Add more paths you don't allow in your org
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\PerfLogs\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high