title: Windows Defender Exclusions Added
author: Christian Burkard
date: 2021/07/06
description: Detects the Setting of Windows Defender Exclusions
detection:
  SELECTION_1:
    EventID: 5007
  SELECTION_2:
    New_Value: '*\Microsoft\Windows Defender\Exclusions*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrator actions
id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
level: medium
logsource:
  product: windows
  service: windefend
modified: 2021/10/13
references:
- https://twitter.com/_nullbind/status/1204923340810543109
status: stable
tags:
- attack.defense_evasion
- attack.t1089
- attack.t1562.001
ruletype: SIGMA