{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exclusion/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["windows","endpoint","registry","defender","exclusion","defense-evasion","malware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers frequently attempt to disable or bypass Windows Defender to execute malware undetected. This is often achieved by modifying the Windows Defender exclusion registry entries. By adding exclusions, attackers can prevent Windows Defender from scanning specific files, folders, or processes. This technique allows malware to operate freely, potentially leading to system compromise. The reported activity focuses on modifications to the registry path \u0026ldquo;\u003cem\u003e\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\\u003c/em\u003e\u0026rdquo;, which is a common target for threat actors. This technique can be observed across various malware families, including Remcos RAT, Qakbot, and XWorm, as well as in NetSupport RMM Tool Abuse scenarios, highlighting its versatility and effectiveness in defense evasion. Detecting and preventing these modifications is crucial for maintaining endpoint security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through various methods (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\\u003c/code\u003e or similar paths.\u003c/li\u003e\n\u003cli\u003eSpecifically, the attacker adds or modifies registry values within the \u003ccode\u003eExclusions\u003c/code\u003e key to exclude specific files, folders, or processes from Windows Defender scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation or modification of the exclusion by querying the registry.\u003c/li\u003e\n\u003cli\u003eMalicious code is then executed in the excluded location or process, bypassing Windows Defender\u0026rsquo;s real-time scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the exclusion remains active across reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker performs further malicious activities, such as data exfiltration or lateral movement, undetected by Windows Defender.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Windows Defender exclusion registry entries allows attackers to bypass antivirus protection. This can lead to the execution of malicious code without detection, enabling persistence, data exfiltration, and other malicious activities. The impact can range from individual system compromise to broader network infections, depending on the attacker\u0026rsquo;s objectives. Several malware families, including Remcos RAT, Qakbot, and XWorm, use this technique, demonstrating its widespread use. A Microsoft blog post referenced destructive malware targeting Ukrainian organizations, suggesting potential for significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (RegistryEvent) to capture registry modifications, which is the data source required for the detections.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Windows Defender Exclusion Added\u003c/code\u003e to identify suspicious registry modifications related to Windows Defender exclusions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on processes modifying the Windows Defender exclusion registry keys.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Windows Defender exclusions to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eEnsure the Sysmon TA is at least version 2.0 as mentioned in the content to properly ingest the logs from endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion-registry-modification/","summary":"Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.","title":"Windows Defender Exclusion Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion-registry-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Defender","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["windowsdefender","exclusion","defense-evasion","endpoint"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers often attempt to evade detection by security tools like Windows Defender. One common technique involves adding exclusions to prevent Defender from scanning or detecting malicious files, processes, or network activity. This is often achieved by using the \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e PowerShell cmdlets, which can modify Defender\u0026rsquo;s configuration. These commands are used to specify files, folders, or processes that Defender should ignore during scans. Once an exclusion is successfully added, malicious code can execute without being detected by Windows Defender. This is a significant concern for defenders because it directly undermines the effectiveness of the built-in antivirus solution. The activity detected here stems from endpoint telemetry and can often be associated with malware families such as Remcos RAT, AgentTesla, ValleyRAT, XWorm and others.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through various means, such as phishing emails or exploiting vulnerabilities in software.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Once inside the system, the attacker escalates privileges to gain administrative access, which is required to modify Windows Defender settings.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker performs reconnaissance to understand the system\u0026rsquo;s configuration, including the presence and configuration of Windows Defender.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e in PowerShell to add exclusions to Windows Defender, targeting specific files, folders, or processes used by the malware. This bypasses real-time scanning and detection.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes malicious code, which can now run without being detected by Windows Defender due to the added exclusions.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring that the malicious code continues to run even after a system reboot. The exclusions remain in place to allow continued operation.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The malware establishes communication with a command and control (C2) server to receive further instructions and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass Windows Defender, leading to undetected malware execution and potentially enabling further malicious activities, such as data theft, ransomware deployment, or system compromise. The number of affected systems depends on the scope of the initial compromise, but the impact can be widespread if the attacker gains access to critical systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments used when adding Defender exclusions, which is essential for triggering the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e usage and tune them to your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eAdd-MpPreference\u003c/code\u003e or \u003ccode\u003eSet-MpPreference\u003c/code\u003e commands, especially those initiated by unusual parent processes or users.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Windows Defender exclusions to identify and remove any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eMonitor the references for IoCs related to malware families abusing Windows Defender exclusions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-defender-exclusion/","summary":"Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.","title":"Windows Defender Exclusion Added or Modified via Command Line","url":"https://feed.craftedsignal.io/briefs/2024-01-defender-exclusion/"}],"language":"en","title":"CraftedSignal Threat Feed — Exclusion","version":"https://jsonfeed.org/version/1.1"}