Windows Defender Exclusions Added via PowerShell

Attackers may attempt to evade detection by modifying Windows Defender’s configuration to exclude specific files, folders, or processes from scanning. This is often achieved by using PowerShell commands to add exclusions. The tactic allows malware to operate without being detected by the built-in antivirus solution. Observed as early as 2018 with Trickbot disabling Windows Defender, this technique remains relevant today. This activity can be performed using Add-MpPreference or Set-MpPreference commands in PowerShell, specifying exclusions by path or process name. Detecting these modifications is critical for maintaining the integrity of endpoint security. The scope of targeting ranges from individual workstations to entire networks.

Attack Chain

1. The attacker gains initial access to the system via an undisclosed method.
2. The attacker executes PowerShell with administrative privileges.
3. The attacker uses the Add-MpPreference or Set-MpPreference cmdlet to add an exclusion.
4. The exclusion specifies a file path, folder, or process that should be ignored by Windows Defender.
5. Windows Defender is reconfigured to ignore the specified item.
6. The attacker deploys or executes malware in the excluded location.
7. The malware operates without interference from Windows Defender.
8. The attacker achieves their final objective, such as data theft or lateral movement.

Impact

Successful exploitation allows attackers to operate undetected on compromised systems, leading to potential data breaches, lateral movement within the network, and deployment of ransomware. While the exact number of victims is unknown, this technique is widely used by various threat actors, impacting organizations across various sectors. The lack of detection can lead to prolonged periods of compromise, increasing the potential damage.

Recommendation

• Deploy the Sigma rule “Windows Defender Exclusions Added via PowerShell” to your SIEM to detect suspicious PowerShell commands used to add exclusions.
• Enable Sysmon process creation logging with command line auditing to capture the necessary event data for the Sigma rule.
• Regularly review Windows Defender exclusion lists to identify any unauthorized or suspicious entries.
• Investigate any PowerShell process that uses Add-MpPreference or Set-MpPreference with exclusion parameters, as identified by the provided Sigma rule.
• Monitor for processes and file modifications within excluded directories.
• Configure alerts to notify security teams when new Windows Defender exclusions are added.