Windows Defender Exclusion Registry Modification

Attackers frequently attempt to disable or bypass Windows Defender to execute malware undetected. This is often achieved by modifying the Windows Defender exclusion registry entries. By adding exclusions, attackers can prevent Windows Defender from scanning specific files, folders, or processes. This technique allows malware to operate freely, potentially leading to system compromise. The reported activity focuses on modifications to the registry path “\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\”, which is a common target for threat actors. This technique can be observed across various malware families, including Remcos RAT, Qakbot, and XWorm, as well as in NetSupport RMM Tool Abuse scenarios, highlighting its versatility and effectiveness in defense evasion. Detecting and preventing these modifications is crucial for maintaining endpoint security.

Attack Chain

1. Initial access is gained through various methods (not specified in source).
2. The attacker elevates privileges to gain necessary permissions (not specified in source).
3. The attacker modifies the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\ or similar paths.
4. Specifically, the attacker adds or modifies registry values within the Exclusions key to exclude specific files, folders, or processes from Windows Defender scanning.
5. The attacker verifies the successful creation or modification of the exclusion by querying the registry.
6. Malicious code is then executed in the excluded location or process, bypassing Windows Defender’s real-time scanning.
7. The attacker maintains persistence by ensuring the exclusion remains active across reboots.
8. The attacker performs further malicious activities, such as data exfiltration or lateral movement, undetected by Windows Defender.

Impact

Successful modification of Windows Defender exclusion registry entries allows attackers to bypass antivirus protection. This can lead to the execution of malicious code without detection, enabling persistence, data exfiltration, and other malicious activities. The impact can range from individual system compromise to broader network infections, depending on the attacker’s objectives. Several malware families, including Remcos RAT, Qakbot, and XWorm, use this technique, demonstrating its widespread use. A Microsoft blog post referenced destructive malware targeting Ukrainian organizations, suggesting potential for significant operational disruption.

Recommendation

• Enable Sysmon Event ID 13 (RegistryEvent) to capture registry modifications, which is the data source required for the detections.
• Deploy the Sigma rule Detect Windows Defender Exclusion Added to identify suspicious registry modifications related to Windows Defender exclusions.
• Investigate any alerts generated by the Sigma rule, focusing on processes modifying the Windows Defender exclusion registry keys.
• Review and audit existing Windows Defender exclusions to identify any unauthorized or suspicious entries.
• Ensure the Sysmon TA is at least version 2.0 as mentioned in the content to properly ingest the logs from endpoints.