LoFP / admin or user may choose to use this windows features.

Techniques

• T1562
• T1562.001

Sample rules

Powershell Windows Defender Exclusion Commands

• source: splunk
• technicques:
  • T1562.001
  • T1562

Description

This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for defense evasion and to look further for events after this behavior.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Add-MpPreference *" OR ScriptBlockText = "*Set-MpPreference *") AND ScriptBlockText = "*-exclusion*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_windows_defender_exclusion_commands_filter`

Windows Defender Exclusion Registry Entry

• source: splunk
• technicques:
  • T1562.001
  • T1562

Description

This analytic will detect a suspicious process that modify a registry related to windows defender exclusion feature. This registry is abused by adversaries, malware author and red teams to bypassed Windows Defender Anti-Virus product by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This is a good indicator for a defense evasion and to look further for events after this behavior.

Detection logic

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Exclusions\\*") BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid 
| `drop_dm_object_name(Registry)` 
| where isnotnull(registry_value_data) 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_defender_exclusion_registry_entry_filter`