Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Sigma rule (View on GitHub)
1title: Powershell Defender Exclusion
2id: 17769c90-230e-488b-a463-e05c08e9d48f
3related:
4 - id: c1344fa2-323b-4d2e-9176-84b4d4821c88
5 type: similar
6status: test
7description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
8references:
9 - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
10 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11 - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
12author: Florian Roth (Nextron Systems)
13date: 2021/04/29
14modified: 2022/05/12
15tags:
16 - attack.defense_evasion
17 - attack.t1562.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection1:
23 CommandLine|contains:
24 - 'Add-MpPreference '
25 - 'Set-MpPreference '
26 selection2:
27 CommandLine|contains:
28 - ' -ExclusionPath '
29 - ' -ExclusionExtension '
30 - ' -ExclusionProcess '
31 - ' -ExclusionIpAddress '
32 condition: all of selection*
33falsepositives:
34 - Possible Admin Activity
35 - Other Cmdlets that may use the same parameters
36level: medium
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Related rules
- AMSI Bypass Pattern Assembly GetType
- Azure Kubernetes Events Deleted
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Taskkill Symantec Endpoint Protection
- Win Defender Restored Quarantine File