How to Use Azure Sentinel to Monitor for Windows Defender Exclusion Changes

There’s reports of a new bit of malware called MosaicLoader that, in addition to installing malware, modifies exclusions for Windows Defender to ensure its actions are effective and unnoticed. Read about that here: This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection (thehackernews.com)

So, it seems useful to be able to track for exclusion modifications on client systems. With Microsoft Defender for Endpoint connected to Azure Sentinel, you can use the following query to produce results for systems that have had exclusions modified or turn it into an Analytics Rule or Hunting Query.

DeviceRegistryEvents 
| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" 
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))

The most current version of this query will always be located in my GitHub repo here: SentinelKQL/DefenderExclusions.txt at master · rod-trent/SentinelKQL (github.com)

The query looks for the RegistryValueSet value (modifications) in the three exclusion paths in the registry.

Connecting Microsoft Defender for Endpoint provides the DeviceRegistryEvents table. There’s lots of great data to be gleaned from this table.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author