← Back to Explore
sigmamediumHunting
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Detection Query
selection:
Image|endswith: \reg.exe
CommandLine|contains:
- SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
CommandLine|contains|all:
- "ADD "
- "/t "
- "REG_DWORD "
- "/v "
- "/d "
- "0"
condition: selection
Author
frack113
Created
2022-02-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1562.001
Raw Content
title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
- attack.defense-evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
- 'REG_DWORD '
- '/v '
- '/d '
- '0'
condition: selection
falsepositives:
- Legitimate use
level: medium