Windows Defender Exclusion of C Drive

Rule Info

Name
Windows Defender Exclusion of C Drive
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning. Adversaries may attempt to exclude the entire C:\ drive from Microsoft Defender Antivirus scanning to avoid detection of their malicious activities. The entire C:\ drive, including all its subdirectories (C:\Windows\, C:\Program Files\, C:\Users\, etc.), will not be scanned. This can be used to hide malware from being detected by Microsoft Defender Antivirus.
Reference
https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html
Date
2025-03-13 00:00:00
Modified
None
Id
87db517c-3ad2-45e4-9e9b-692360da389d
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022