Windows Defender Exclusion Added or Modified via Command Line

Attackers often attempt to evade detection by security tools like Windows Defender. One common technique involves adding exclusions to prevent Defender from scanning or detecting malicious files, processes, or network activity. This is often achieved by using the Add-MpPreference or Set-MpPreference PowerShell cmdlets, which can modify Defender’s configuration. These commands are used to specify files, folders, or processes that Defender should ignore during scans. Once an exclusion is successfully added, malicious code can execute without being detected by Windows Defender. This is a significant concern for defenders because it directly undermines the effectiveness of the built-in antivirus solution. The activity detected here stems from endpoint telemetry and can often be associated with malware families such as Remcos RAT, AgentTesla, ValleyRAT, XWorm and others.

Attack Chain

1. Initial Access: The attacker gains initial access through various means, such as phishing emails or exploiting vulnerabilities in software.
2. Privilege Escalation: Once inside the system, the attacker escalates privileges to gain administrative access, which is required to modify Windows Defender settings.
3. Discovery: The attacker performs reconnaissance to understand the system’s configuration, including the presence and configuration of Windows Defender.
4. Defense Evasion: The attacker uses Add-MpPreference or Set-MpPreference in PowerShell to add exclusions to Windows Defender, targeting specific files, folders, or processes used by the malware. This bypasses real-time scanning and detection.
5. Execution: The attacker executes malicious code, which can now run without being detected by Windows Defender due to the added exclusions.
6. Persistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys, ensuring that the malicious code continues to run even after a system reboot. The exclusions remain in place to allow continued operation.
7. Command and Control: The malware establishes communication with a command and control (C2) server to receive further instructions and exfiltrate data.

Impact

Successful exploitation allows attackers to bypass Windows Defender, leading to undetected malware execution and potentially enabling further malicious activities, such as data theft, ransomware deployment, or system compromise. The number of affected systems depends on the scope of the initial compromise, but the impact can be widespread if the attacker gains access to critical systems.

Recommendation

• Enable Sysmon process creation logging to capture the command-line arguments used when adding Defender exclusions, which is essential for triggering the rules below.
• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious Add-MpPreference or Set-MpPreference usage and tune them to your environment.
• Investigate any instances of Add-MpPreference or Set-MpPreference commands, especially those initiated by unusual parent processes or users.
• Regularly review and audit Windows Defender exclusions to identify and remove any unauthorized or suspicious entries.
• Monitor the references for IoCs related to malware families abusing Windows Defender exclusions.