EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Windows Defender Exploit Guard Tamper

Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"

MITRE ATT&CK

T1685

Detection Query

allowed_apps_key:
  EventID: 5007
  NewValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled
    Folder Access\AllowedApplications\
allowed_apps_path:
  NewValue|contains:
    - \Users\Public\
    - \AppData\Local\Temp\
    - \Desktop\
    - \PerfLogs\
    - \Windows\Temp\
protected_folders:
  EventID: 5007
  OldValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled
    Folder Access\ProtectedFolders\
condition: all of allowed_apps* or protected_folders

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2022-08-05

Data Sources

windowswindefend

Platforms

windows

References

Tags

attack.defense-impairmentattack.t1685
Raw Content
title: Windows Defender Exploit Guard Tamper
id: a3ab73f1-bd46-4319-8f06-4b20d0617886
status: test
description: |
    Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
references:
    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-12-06
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    service: windefend
detection:
    allowed_apps_key:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\'
    allowed_apps_path:
        NewValue|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Windows\Temp\'
    protected_folders:
        EventID: 5007 # The antimalware platform configuration changed.
        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths
        OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\'
    condition: all of allowed_apps* or protected_folders
falsepositives:
    - Unlikely
level: high