Windows Defender Exclusions Added - PowerShell
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Sigma rule (View on GitHub)
1title: Windows Defender Exclusions Added - PowerShell
2id: c1344fa2-323b-4d2e-9176-84b4d4821c88
3related:
4 - id: 17769c90-230e-488b-a463-e05c08e9d48f
5 type: similar
6status: test
7description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
8references:
9 - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
10author: Tim Rauch, Elastic (idea)
11date: 2022/09/16
12modified: 2022/11/26
13tags:
14 - attack.defense_evasion
15 - attack.t1562
16 - attack.execution
17 - attack.t1059
18logsource:
19 category: ps_script
20 product: windows
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_args_exc:
24 ScriptBlockText|contains:
25 - ' -ExclusionPath '
26 - ' -ExclusionExtension '
27 - ' -ExclusionProcess '
28 - ' -ExclusionIpAddress '
29 selection_args_pref:
30 ScriptBlockText|contains:
31 - 'Add-MpPreference '
32 - 'Set-MpPreference '
33 condition: all of selection*
34falsepositives:
35 - Unknown
36level: medium
References
-
Windows Defender Exclusions Added via PowerShelledit Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process le...
Read More
Related rules
- Renamed PingCastle Binary Execution
- Add Potential Suspicious New Download Source To Winget
- Elevated System Shell Spawned From Uncommon Parent Location
- Suspicious Execution via macOS Script Editor
- Parent in Public Folder Suspicious Process