← Back to Explore
sigmamediumHunting
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
MITRE ATT&CK
Detection Query
selection:
Image|endswith: \reg.exe
CommandLine|contains:
- SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
CommandLine|contains|all:
- "ADD "
- "/t "
- "REG_DWORD "
- "/v "
- "/d "
- "0"
condition: selection
Author
frack113
Created
2022-02-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-impairmentattack.t1685
Raw Content
title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
- 'REG_DWORD '
- '/v '
- '/d '
- '0'
condition: selection
falsepositives:
- Legitimate use
level: medium