Skip to content
Threat Feed
high advisory

Windows Defender Tampering via WMIC for Defense Evasion

A technique brief describes how adversaries may use `wmic.exe` to tamper with Windows Defender settings, specifically to add exclusions via the `\root\Microsoft\Windows\Defender` WMI namespace, reducing the host's security posture and enabling further malicious activity.

This brief details a common defense evasion technique where adversaries leverage wmic.exe (Windows Management Instrumentation Command-line) to modify Windows Defender settings. The wmic.exe utility, a legitimate system tool, is abused to interact with the \\root\\Microsoft\\Windows\\Defender WMI namespace, allowing attackers to programmatically add exclusions for files, paths, processes, or file extensions. This tampering effectively bypasses Windows Defender's real-time protection, creating blind spots for malicious payloads to execute and persist undetected. This method has been observed in campaigns by various malware families, including Gootkit, to ensure their operations are not impeded by antivirus software. Detecting such activity is critical as it indicates a significant compromise and an attempt to neutralize a primary endpoint security control.

Attack Chain

  1. Initial Access: An adversary successfully gains execution on a target Windows host, typically through spearphishing or exploiting a vulnerable service.
  2. Discovery: (Optional) The attacker performs reconnaissance to identify Windows Defender as the active endpoint protection solution on the compromised system.
  3. Defense Evasion (WMIC Execution): The adversary executes wmic.exe via the command line or a script, specifying the \\root\\Microsoft\\Windows\\Defender WMI namespace to interact with Defender's settings.
  4. Defense Evasion (Exclusion Creation): Using wmic.exe, the attacker issues commands to add specific file paths, process names, or file extensions to Windows Defender's exclusion list, preventing it from scanning or quarantining malicious artifacts.
  5. Execution/Persistence Facilitation: With the exclusions in place, the adversary proceeds to execute their primary payload (e.g., malware, ransomware, credential dumpers) or establish persistence mechanisms in the excluded areas, ensuring they operate without detection.
  6. Impact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system takeover, leveraging the bypassed endpoint defenses.

Impact

Successful tampering with Windows Defender via wmic.exe significantly degrades the security posture of the compromised system, leaving it vulnerable to subsequent malicious activity. Adversaries can achieve undetected execution of malware, install ransomware, exfiltrate sensitive data, or establish long-term persistence without the primary endpoint detection and response (EDR) solution interfering. While specific victim counts are not tied to this general technique, successful implementation allows attackers to bypass critical defenses, leading to severe operational disruption, financial loss, and data breaches across various sectors.

Recommendation

  • Deploy the provided Sigma rule (Potential Windows Defender Tampering Via Wmic.EXE) to your SIEM/EDR to detect suspicious wmic.exe interactions with Windows Defender.
  • Enable comprehensive process creation logging (e.g., Sysmon Event ID 1) to capture full CommandLine arguments for wmic.exe executions.
  • Review legitimate administrative scripts and security tools that may use wmic.exe to interact with Defender settings to establish a baseline and reduce false positives.
  • Implement host-based firewall rules or network segmentation to limit outbound connections, even if Defender is tampered with, to contain post-exploitation activity.

Detection coverage 1

Potential Windows Defender Tampering Via Wmic.EXE

high

Detects `wmic.exe` execution attempting to add exclusions or modify settings within the Windows Defender WMI namespace (`\root\Microsoft\Windows\Defender`), a common defense evasion technique.

sigma tactics: defense_evasion, execution techniques: T1047, T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →