Suspicious Windows Defender Exclusions Added - PowerShell

Rule Info

Name
Suspicious Windows Defender Exclusions Added - PowerShell
Author
Nasreddine Bencherchali
Description
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
Reference
https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
Date
2022-11-17 00:00:00
Modified
2023-03-29 00:00:00
Id
90c9abab-cfd3-4f5c-b75e-25a5cf2a2e55
Tags
attack.defense_evasion attack.t1562 attack.execution attack.t1059
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022