PowerShell Windows Defender Exclusion Commands

Attackers often attempt to evade detection by security tools, including Windows Defender. One common method is to add exclusions to prevent Defender from scanning specific files, folders, or processes. PowerShell, a powerful scripting language built into Windows, can be used to manage Defender settings, including exclusions. This makes it an attractive tool for adversaries. This activity is significant because adversaries often use it to bypass Windows Defender, allowing malicious code to execute without detection. If confirmed malicious, this behavior could enable attackers to evade antivirus defenses, maintain persistence, and execute further malicious activities undetected. The references provided show real-world examples of Remcos RAT and other malware families using this technique.

Attack Chain

1. An attacker gains initial access to a system, potentially through phishing or exploitation of a vulnerability.
2. The attacker executes a PowerShell script.
3. The PowerShell script uses the Add-MpPreference or Set-MpPreference cmdlet.
4. The script specifies exclusion parameters, such as -ExclusionPath, -ExclusionProcess, or -ExclusionExtension.
5. The exclusion is added to Windows Defender, preventing it from scanning the specified files, folders, or processes.
6. The attacker deploys and executes malware within the excluded path or process.
7. Windows Defender does not detect the malware due to the exclusion.
8. The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment.

Impact

Successful exploitation of this technique allows attackers to bypass Windows Defender’s real-time protection, enabling them to execute malicious code undetected. This can lead to data breaches, system compromise, and other serious security incidents. Multiple threat actors, as demonstrated in the references, have used this technique in various campaigns. This results in malware infections, data exfiltration, and potential ransomware deployment, causing significant financial and reputational damage to affected organizations.

Recommendation

• Enable PowerShell Script Block Logging (EventCode 4104) to capture the commands being executed (data_source).
• Deploy the Sigma rule Detect-WindowsDefender-Exclusion to detect suspicious PowerShell commands that add Windows Defender exclusions.
• Investigate any alerts generated by the Sigma rule, focusing on the user and destination involved (rule).
• Review existing Windows Defender exclusions to identify any suspicious or unauthorized entries.
• Monitor PowerShell execution for unusual or suspicious activity, especially related to Defender management.
• Audit and restrict access to PowerShell, limiting its use to authorized personnel and processes.