Windows Defender Exclusions Added - PowerShell
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Sigma rule (View on GitHub)
1title: Windows Defender Exclusions Added - PowerShell
2id: c1344fa2-323b-4d2e-9176-84b4d4821c88
3related:
4 - id: 17769c90-230e-488b-a463-e05c08e9d48f
5 type: similar
6status: test
7description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022-09-16
12modified: 2022-11-26
13tags:
14 - attack.defense-evasion
15 - attack.t1562
16 - attack.execution
17 - attack.t1059
18logsource:
19 category: ps_script
20 product: windows
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_args_exc:
24 ScriptBlockText|contains:
25 - ' -ExclusionPath '
26 - ' -ExclusionExtension '
27 - ' -ExclusionProcess '
28 - ' -ExclusionIpAddress '
29 selection_args_pref:
30 ScriptBlockText|contains:
31 - 'Add-MpPreference '
32 - 'Set-MpPreference '
33 condition: all of selection*
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Install New Package Via Winget Local Manifest
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Arbitrary Command Execution Via FTP.EXE