From 2b23118b0d01f9de2a459290e897ea707a48f7db Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 21 Sep 2021 10:16:25 +0200
Subject: [PATCH] split global win_defender_exclusions.yml

---
 .../windows/other/win_defender_exclusions.yml | 21 ++++----------
 .../registry_event_defender_exclusions.yml    | 28 +++++++++++++++++++
 2 files changed, 33 insertions(+), 16 deletions(-)
 create mode 100644 rules/windows/registry_event/registry_event_defender_exclusions.yml

diff --git a/rules/windows/other/win_defender_exclusions.yml b/rules/windows/other/win_defender_exclusions.yml
index 5021ed75..3862ad15 100644
--- a/rules/windows/other/win_defender_exclusions.yml
+++ b/rules/windows/other/win_defender_exclusions.yml
@@ -1,7 +1,8 @@
-action: global
 title: Windows Defender Exclusions Added
+id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 description: Detects the Setting of Windows Defender Exclusions
 date: 2021/07/06
+modified: 2021/09/21
 author: Christian Burkard
 references:
     - https://twitter.com/_nullbind/status/1204923340810543109
@@ -10,11 +11,6 @@ tags:
     - attack.defense_evasion
     - attack.t1089           # an old one
     - attack.t1562.001
-falsepositives:
-    - Administrator actions
-level: medium
----
-id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
 logsource:
     product: windows
     service: windefend
@@ -23,13 +19,6 @@ detection:
         EventID: 5007
         New Value|contains: '\Microsoft\Windows Defender\Exclusions'
     condition: selection1
----
-id: a982fc9c-6333-4ffb-a51d-addb04e8b529
-logsource:
-    product: windows
-    category: registry_event
-detection:
-    selection2:
-        EventID: 13
-        TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
-    condition: selection2
+falsepositives:
+    - Administrator actions
+level: medium
\ No newline at end of file
diff --git a/rules/windows/registry_event/registry_event_defender_exclusions.yml b/rules/windows/registry_event/registry_event_defender_exclusions.yml
new file mode 100644
index 00000000..1840ff84
--- /dev/null
+++ b/rules/windows/registry_event/registry_event_defender_exclusions.yml
@@ -0,0 +1,28 @@
+title: Windows Defender Exclusions Added
+id: a982fc9c-6333-4ffb-a51d-addb04e8b529
+related:
+    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
+      type: derived
+description: Detects the Setting of Windows Defender Exclusions
+date: 2021/07/06
+modified: 2021/09/21
+author: Christian Burkard
+references:
+    - https://twitter.com/_nullbind/status/1204923340810543109
+status: test
+tags:
+    - attack.defense_evasion
+    - attack.t1089           # an old one
+    - attack.t1562.001
+logsource:
+    product: windows
+    category: registry_event
+detection:
+    selection2:
+        #EventID: 13
+        EventType: SetValue
+        TargetObject|contains: '\Microsoft\Windows Defender\Exclusions'
+    condition: selection2
+falsepositives:
+    - Administrator actions
+level: medium
\ No newline at end of file