Suspicious Windows Defender Exclusions Added

Rule Info

Name
Suspicious Windows Defender Exclusions Added
Author
Nasreddine Bencherchali
Description
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
Reference
https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
Date
2022-11-17 00:00:00
Modified
2022-12-06 00:00:00
Id
8aa52eab-3271-46c2-921a-7d2612278b0b
Tags
attack.defense_evasion attack.t1562 attack.execution attack.t1059
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022