Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Windows Defender Exclusions Added - PowerShell

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Rauch, Elastic SecurityCreated Fri Sep 16Updated Sat Nov 26c1344fa2-323b-4d2e-9176-84b4d4821c88windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic2 selectors
detection:
    selection_args_exc:
        ScriptBlockText|contains:
            - ' -ExclusionPath '
            - ' -ExclusionExtension '
            - ' -ExclusionProcess '
            - ' -ExclusionIpAddress '
    selection_args_pref:
        ScriptBlockText|contains:
            - 'Add-MpPreference '
            - 'Set-MpPreference '
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
elastic.co
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
c1344fa2-323b-4d2e-9176-84b4d4821c88
Status
test
Level
medium
Type
Detection
Created
Fri Sep 16
Modified
Sat Nov 26
Author
Tim Rauch, Elastic Security
Path
rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
Raw Tags
attack.defense-evasionattack.t1562attack.executionattack.t1059
View on GitHub