To bypass the security measures protecting HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths it is not needed to start an sophisticated attack.
HKLM:\SOFTWARE\Microsoft\Microsoft Antimalware Circumvent wdfilter.sys protections That is because the System Center Endpoint Protection (SCEP) AV Client installed on those OS versions stores it’s configuration under: Legacy operating system are everything below Windows Server 2016.
If your environment still runs so called “legacy” OS versions, that do not have Defender AV built-in, you have to watch different registry keys. Those changes are detected and reported by most EDR solutions. The only way to create an exception here, is using the Defender AV GUI or the Defender AV PowerShell module Add-MPPrefence. PermissionDenied: (HKEY_LOCAL_MACH…xclusions\Paths:String), UnauthorizedAccessException Any attempt to create a new value is blocked. This registry key is protected by the kernel-mode driver (wdfilter.sys) and even the SYSTEM user is not able to create a new value in this key. The first and most often used location is HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths. This configuration is, depending on the configuration entity, at multiple places in the registry.
Let’s start with how Microsoft Defender AV stores it’s configuration for exclusions. Due to time constrains I only tested the latest versions. 😉 Affected products Operating systemsĪs far as I can tell this method works on all current Windows operating systems. Therefore it’s not easy to detect and could go undetected for security personnel which relies on those queries and products.Īnd before you dismiss this because it needs administrative permission, these days it’s quite easy to get SYSTEM. Because of the way the exclusion is created, most public guidelines and hunting queries on detecting this kind of change won’t detect it.Įven more troubling is the fact that Microsoft Defender for Endpoint will not log any of those changes made. A user with administrative permissions is able to create Defender AV exclusions without using the Add-MPPrefence cmdlet.
0 kommentar(er)
