Defender AV Exclusion Events
Defender Exclusion Events
Query
let ExclusionOptions = dynamic(['ExclusionPath', 'ExclusionExtension', 'ExclusionProcess', 'ExclusionIpAddress']);
let Modules = dynamic(['Add-MpPreference','Set-MpPreference']);
let CommandLineExecutions = DeviceProcessEvents
| where ProcessCommandLine has_any (Modules) and ProcessCommandLine has_any (ExclusionOptions);
let PowerShellExecutions = DeviceEvents
| where ActionType == 'PowerShellCommand'
| where AdditionalFields has_any (Modules) and AdditionalFields has_any (ExclusionOptions);
union PowerShellExecutions, CommandLineExecutionsAbout this query
Explanation
This query is designed to detect attempts to add exclusions to Microsoft Defender using PowerShell commands. These exclusions can allow malicious software to run undetected by the antivirus. The query looks for specific PowerShell commands (Add-MpPreference or Set-MpPreference) that are used to add exclusions for file paths, file extensions, processes, or IP addresses. It checks both direct command-line executions and PowerShell script-based executions. By identifying these actions, the query helps in detecting potential defense evasion techniques used by attackers to impair system defenses.
