Suspicious Windows Defender Exclusions Added - PowerShell

Rule Info

Id
90c9abab-cfd3-4f5c-b75e-25a5cf2a2e55
Author
Nasreddine Bencherchali
Name
Suspicious Windows Defender Exclusions Added - PowerShell
Tags
attack.defense_evasion attack.execution attack.t1562 attack.t1059
Date
2022-11-17 00:00:00
Modified
2022-11-21 00:00:00
Description
Detects execution of the PowerShell "Add-MpPreference" or "Set-MpPreference" cmdlets to add dangerous exclusions to Windows Defender
Type
Nextron Sigma feed only (private)

Rule History