From a483872fed1c5358a39e63088f14247c8b849f5c Mon Sep 17 00:00:00 2001
From: Michael Melone <64156578+mjmelone@users.noreply.github.com>
Date: Fri, 11 Dec 2020 13:48:59 -0500
Subject: [PATCH] Create Changes to Antimalware Exclusions.md

---
 .../Changes to Antimalware Exclusions.md      | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 Defense evasion/Changes to Antimalware Exclusions.md

diff --git a/Defense evasion/Changes to Antimalware Exclusions.md b/Defense evasion/Changes to Antimalware Exclusions.md
new file mode 100644
index 00000000..b8a99f80
--- /dev/null
+++ b/Defense evasion/Changes to Antimalware Exclusions.md	
@@ -0,0 +1,36 @@
+# Changes to Antimalware Exclusions
+This query identifies creations, deletions, and modifications to registry keys involved with
+Defender Antivirus exclusions.
+## Query
+```
+DeviceRegistryEvents
+| where RegistryKey contains @"\Microsoft\Windows Defender\Exclusions\"
+| extend ExclusionType = trim_end('[e]?s',tolower(tostring(split(RegistryKey,'\\')[-1])))
+| project Timestamp, DeviceId, DeviceName, ActionType, ExclusionType, Exclusion = RegistryValueName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, RegistryKey, InitiatingProcessFolderPath, InitiatingProcessCommandLine, InitiatingProcessSHA256, InitiatingProcessSHA1, InitiatingProcessMD5
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion | v |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+**Contributor:** Michael Melone
+**GitHub alias:** mjmelone
+**Organization:** Microsoft
+**Contact info:** @PowershellPoet
+