Windows Defender Exclusions Added - PowerShell

Apr 28, 2026 · attack.defense-impairment attack.t1685 attack.execution attack.t1059 ·

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Sigma rule (View on GitHub)

 1title: Windows Defender Exclusions Added - PowerShell
 2id: c1344fa2-323b-4d2e-9176-84b4d4821c88
 3related:
 4    - id: 17769c90-230e-488b-a463-e05c08e9d48f
 5      type: similar
 6status: test
 7description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
 8references:
 9    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022-09-16
12modified: 2022-11-26
13tags:
14    - attack.defense-impairment
15    - attack.t1685
16    - attack.execution
17    - attack.t1059
18logsource:
19    category: ps_script
20    product: windows
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection_args_exc:
24        ScriptBlockText|contains:
25            - ' -ExclusionPath '
26            - ' -ExclusionExtension '
27            - ' -ExclusionProcess '
28            - ' -ExclusionIpAddress '
29    selection_args_pref:
30        ScriptBlockText|contains:
31            - 'Add-MpPreference '
32            - 'Set-MpPreference '
33    condition: all of selection*
34falsepositives:
35    - Unknown
36level: medium

References

https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html

Read More

Windows Defender Exclusions Added - PowerShell

Sigma rule (View on GitHub)

References

https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html

Related rules