From 527b8e2b9894abd2e791cc8d69bacacb1d0a3a58 Mon Sep 17 00:00:00 2001
From: Shivammalaviya <66640150+Shivammalaviya@users.noreply.github.com>
Date: Wed, 21 Jul 2021 12:49:53 +0530
Subject: [PATCH] Create MosaicLoader

---
 Exploits/MosaicLoader | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 Exploits/MosaicLoader

diff --git a/Exploits/MosaicLoader b/Exploits/MosaicLoader
new file mode 100644
index 0000000..279cc1c
--- /dev/null
+++ b/Exploits/MosaicLoader
@@ -0,0 +1,38 @@
+# MosaicLoader
+This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
+## Query
+
+DeviceRegistryEvents 
+| where ((ActionType == "RegistryValueSet") and (RegistryKey startswith @"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths" 
+or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions"
+or RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes"))
+
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation |  |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control V
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |  |  |
+
+
+## Contributor info
+**Contributor:** Shviam Malaviya
+**GitHub alias:** shviammalaviya
+**Organization:** OS
+**Contact info:** shivammalaviya@hotmail.com