LoFP / admin or user may choose to use this windows features.

Techniques

• T1562.001

Sample rules

Powershell Windows Defender Exclusion Commands

• source: splunk
• technicques:
  • T1562.001

Description

The following analytic detects the use of PowerShell commands to add or set Windows Defender exclusions. It leverages EventCode 4104 to identify suspicious Add-MpPreference or Set-MpPreference commands with exclusion parameters. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_windows_defender_exclusion_commands_filter`

Windows Defender Exclusion Registry Entry

• source: splunk
• technicques:
  • T1562.001

Description

The following analytic detects modifications to the Windows Defender exclusion registry entries. It leverages endpoint registry data to identify changes in the registry path “\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\”. This activity is significant because adversaries often modify these entries to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_defender_exclusion_registry_entry_filter`