Elastic
Start free trial
Loading

Windows Defender Exclusions Added via PowerShell

Elastic Stack Serverless Security

Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

Microsoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is
used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration
settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more
notable examples was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.

  • With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users
    using scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to
    identify the source of the activity first and determine if there is any mal-intent behind the events.
  • The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original
    intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs
    to be legitimately whitelisted from Windows Defender?
  • This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly
    a network administrator. In order to validate the activity further, review the specific exclusion made and determine based
    on the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made
    with Windows Defender so it's important to gain context around the exclusion.
  • Windows Defender Disabled via Registry Modification
  • Disabling Windows Defender Security Settings via PowerShell
  • Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and
    potentially isolate further activity
  • If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
    the exclusion and ensure antimalware capability has not been disabled or deleted
  • Exclusion lists for antimalware capabilities should always be routinely monitored for review

Rule query

process where event.type == "start" and
 (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name : ("powershell.exe", "pwsh.exe")) and
  process.args : ("*Add-MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")

Framework: MITRE ATT&CKTM