Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Sigma rule (View on GitHub)

 1title: Powershell Defender Exclusion
 2id: 17769c90-230e-488b-a463-e05c08e9d48f
 3related:
 4    - id: c1344fa2-323b-4d2e-9176-84b4d4821c88
 5      type: similar
 6status: test
 7description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
 8references:
 9    - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
10    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
11    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
12author: Florian Roth (Nextron Systems)
13date: 2021/04/29
14modified: 2022/05/12
15tags:
16    - attack.defense_evasion
17    - attack.t1562.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection1:
23        CommandLine|contains:
24            - 'Add-MpPreference '
25            - 'Set-MpPreference '
26    selection2:
27        CommandLine|contains:
28            - ' -ExclusionPath '
29            - ' -ExclusionExtension '
30            - ' -ExclusionProcess '
31            - ' -ExclusionIpAddress '
32    condition: all of selection*
33falsepositives:
34    - Possible Admin Activity
35    - Other Cmdlets that may use the same parameters
36level: medium

References

Related rules

to-top