Add or set Windows Defender exclusion

Rule added on 20th February, 2024

Prerequisite:

The rule requires sysmon /auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule is designed to detect attempts to modify exclusions, including files, folders, file types, and processes considered safe or non-threatening. Such modifications are typically carried out using PowerShell cmdlets like Add-MpPreference or Set-MpPreference, and the rule aims to identify and alert on such activities.

Data source

Windows: process, kernel, file

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005 - Defense Evasion, TA0003 - Persistence

Techniques: T1562 - Impair Defenses, T1547 - Boot or Logon Autostart Execution,

Sub-techniques: T1562.001 - Impair Defenses: Disable or Modify Tools

Criteria:

Command line contains Add-MpPreference OR Set-MpPreference:This part of the rule looks for events where either the Add-MpPreference or Set-MpPreference command is used. These commands are used to add or modify Windows Defender exclusions

AND Command line contains -exclusion: This ensures that the identified command also includes the term "-exclusion". This further narrows down the focus to events specifically related to exclusion manipulation.

When to enable this rule:

Enable this rule when the user wants to detect suspicious attempts to tamper with Windows Defender exclusions. Adding or modifying exclusions can be a tactic used by malware to bypass detection. This rule can help identify potential threats by monitoring for activities that try to modify Windows Defender's configuration, such as adding exclusions for files, folders, processes, or registry keys.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

  • NIST Cybersecurity Framework (CSF): PR.AC (Access Control) to control changes to security configurations and prevent unauthorized exclusion settings.
  • CIS Control: 5 (Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers) to ensure secure configurations of security tools.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination..
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.