Windows Defender Exclusions Added via PowerShell

edit

Windows Defender Exclusions Added via PowerShell

edit

Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 5 (version history)

Added (Elastic Stack release): 7.14.0

Last modified (Elastic Stack release): 8.0.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

### Investigating Windows Defender Exclusions

Microsoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is
used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration
settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more
notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.

#### Possible investigation steps:
- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users
using scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to
identify the source of the activity first and determine if there is any mal-intent behind the events.
- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original
intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs
to be legitimately whitelisted from Windows Defender?

### False Positive Analysis
- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly
a network administrator. In order to validate the activity further, review the specific exclusion made and determine based
on the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made
with Windows Defender so it's important to gain context around the exclusion.

### Related Rules
- Windows Defender Disabled via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell

### Response and Remediation
- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and
potentially isolate further activity
- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
the exclusion and ensure antimalware capability has not been disabled or deleted
- Exclusion lists for antimalware capabilities should always be routinely monitored for review

Rule query

edit
process where event.type == "start" and (process.name :
("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
"powershell_ise.exe")) and process.args : ("*Add-MpPreference*",
"*Set-MpPreference*") and process.args : ("*-Exclusion*")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 5 (8.0.0 release)
  • Updated query, changed from:

    process where event.type == "start" and (process.name :
    ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
    process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
    "powershell_ise.exe")) and process.args : ("*Add-
    MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
Version 4 (7.16.0 release)
  • Updated query, changed from:

    process where event.type == "start" and (process.name :
    ("powershell.exe", "pwsh.exe") or process.pe.original_file_name :
    ("powershell.exe", "pwsh.exe")) and process.args : ("*Add-
    MpPreference*-Exclusion*", "*Set-MpPreference*-Exclusion*")
Version 2 (7.15.0 release)
  • Formatting only