Techniques
Sample rules
Powershell Defender Exclusion
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Detection logic
condition: all of selection*
selection1:
CommandLine|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
selection2:
CommandLine|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '