heroui logo

Add or Set Windows Defender Exclusion

Splunk Security Content

View Source
Summary
This analytic rule detects the execution of commands to add or set exclusions in Windows Defender, focusing specifically on the use of `Add-MpPreference` and `Set-MpPreference`. Observations of these command-line executions can indicate potential attempts by attackers to bypass security measures provided by Windows Defender, enabling malicious activities to occur without detection. The rule leverages data collected from Endpoint Detection and Response (EDR) agents, particularly monitoring Sysmon EventID 1 and Windows Event Log Security Event 4688, to capture command-line activity linked to these exclusion parameters. If such commands are executed, it warrants further investigation as they may be indicative of evasion tactics employed by threat actors. Proper implementation of this detection involves ingesting logs that detail process execution, command-line parameters, and normalization of these logs using the Splunk Common Information Model (CIM) to ensure accurate tracking and alerts.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Windows Registry
  • Logon Session
ATT&CK Techniques
  • T1562.001
  • T1562
Created: 2024-12-17