Possible Windows Defender Exclusion Discovery

Rule Info

Name
Possible Windows Defender Exclusion Discovery
Author
Florian Roth
Description
Detects a suspicious MpCmdRun.exe process command line that looks as if someone was trying to find Windows Defender exclusions
Reference
https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/
Date
2024-10-06 00:00:00
Modified
None
Id
8a1971e6-0d85-4bb1-813d-b99f2c6019b0
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022