Suspicious Windows Defender Exclusions Added

Rule Info

Id
8aa52eab-3271-46c2-921a-7d2612278b0b
Author
Nasreddine Bencherchali
Name
Suspicious Windows Defender Exclusions Added
Tags
attack.defense_evasion attack.execution attack.t1562 attack.t1059
Date
2022-11-17 00:00:00
Modified
2022-11-21 00:00:00
Description
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
Type
Nextron Sigma feed only (private)

Rule History