search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.68k stars 1.69k forks source link

Detect AV exclusions made in Policy Key #157

Closed f-bader closed 2 years ago

f-bader commented 3 years ago

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\ are not monitored and can be abused

https://cloudbrothers.info/en/create-persistent-defender-av-exclusions-circumvent-defender-endpoint-detection/