Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Thu Apr 29Updated Thu May 1217769c90-230e-488b-a463-e05c08e9d48fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection1:
        CommandLine|contains:
            - 'Add-MpPreference '
            - 'Set-MpPreference '
    selection2:
        CommandLine|contains:
            - ' -ExclusionPath '
            - ' -ExclusionExtension '
            - ' -ExclusionProcess '
            - ' -ExclusionIpAddress '
    condition: all of selection*
False Positives

Possible Admin Activity

Other Cmdlets that may use the same parameters

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
twitter.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Windows Defender Exclusions Added - PowerShell

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
17769c90-230e-488b-a463-e05c08e9d48f
Status
test
Level
medium
Type
Detection
Created
Thu Apr 29
Modified
Thu May 12
Author
Florian Roth (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml
Raw Tags
attack.defense-evasionattack.t1562.001
View on GitHub