Windows Defender Exclusions Added - PowerShell
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Sigma rule (View on GitHub)
1title: Windows Defender Exclusions Added - PowerShell
2id: c1344fa2-323b-4d2e-9176-84b4d4821c88
3related:
4 - id: 17769c90-230e-488b-a463-e05c08e9d48f
5 type: similar
6status: test
7description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022-09-16
12modified: 2022-11-26
13tags:
14 - attack.defense-evasion
15 - attack.t1562
16 - attack.execution
17 - attack.t1059
18logsource:
19 category: ps_script
20 product: windows
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_args_exc:
24 ScriptBlockText|contains:
25 - ' -ExclusionPath '
26 - ' -ExclusionExtension '
27 - ' -ExclusionProcess '
28 - ' -ExclusionIpAddress '
29 selection_args_pref:
30 ScriptBlockText|contains:
31 - 'Add-MpPreference '
32 - 'Set-MpPreference '
33 condition: all of selection*
34falsepositives:
35 - Unknown
36level: medium
References
-
Windows Defender Exclusions Added via PowerShell edit Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process l...
Read More
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- HackTool - Stracciatella Execution
- Install New Package Via Winget Local Manifest
- Payload Decoded and Decrypted via Built-in Utilities