Skip to content

Commit 3ecc305

Browse files
f-baderf-bader
authored
Detect AV exclusions made in Policy Key
https://cloudbrothers.info/en/create-persistent-defender-av-exclusions-circumvent-defender-endpoint-detection/
1 parent 5ded528 commit 3ecc305

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

sysmonconfig-export.xml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -671,6 +671,7 @@
671671
<TargetObject name="T1089,Tamper-Defender" condition="end with">\SpynetReporting</TargetObject> <!--Windows:Defender: State modified via registry-->
672672
<TargetObject name="T1089,Tamper-Defender" condition="end with">DisableRealtimeMonitoring</TargetObject> <!--Windows:Defender: State modified via registry-->
673673
<TargetObject name="T1089,Tamper-Defender" condition="end with">\SubmitSamplesConsent</TargetObject> <!--Windows:Defender: State modified via registry-->
674+
<TargetObject name="T1562,Tamper-Defender" condition="begin with">HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\</TargetObject> <!--Windows:Defender: Exclusions in policy key-->
674675
<!--Windows UAC tampering-->
675676
<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
676677
<TargetObject name="T1088" condition="end with">HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</TargetObject> <!--Detect: UAC Tampering | Credit @ion-storm -->
@@ -1156,4 +1157,4 @@
11561157
<!--Cannot be filtered.-->
11571158

11581159
</EventFiltering>
1159-
</Sysmon>
1160+
</Sysmon>

0 commit comments

Comments
 (0)