Windows Defender Exclusion of C Drive - PowerShell

Rule Info

Name
Windows Defender Exclusion of C Drive - PowerShell
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning. Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities. The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
Reference
https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html
Date
2025-03-13 00:00:00
Modified
None
Id
432aaba7-c02b-4d38-9e22-56623be27cee
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022