Query Details

Defender AV Exclusion Events

Defender Exclusion Events

Query

let ExclusionOptions = dynamic(['ExclusionPath', 'ExclusionExtension', 'ExclusionProcess', 'ExclusionIpAddress']);
let Modules = dynamic(['Add-MpPreference','Set-MpPreference']);
let CommandLineExecutions = DeviceProcessEvents
    | where ProcessCommandLine has_any (Modules) and ProcessCommandLine has_any (ExclusionOptions);
let PowerShellExecutions = DeviceEvents
    | where ActionType == 'PowerShellCommand' 
    | where AdditionalFields  has_any (Modules) and AdditionalFields has_any (ExclusionOptions);
union PowerShellExecutions, CommandLineExecutions

About this query

Explanation

This query is designed to detect attempts to add exclusions to Microsoft Defender using PowerShell commands. These exclusions can allow malicious software to run undetected by the antivirus. The query looks for specific PowerShell commands (Add-MpPreference or Set-MpPreference) that are used to add exclusions for file paths, file extensions, processes, or IP addresses. It checks both direct command-line executions and PowerShell script-based executions. By identifying these actions, the query helps in detecting potential defense evasion techniques used by attackers to impair system defenses.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 7, 2026

Tables

DeviceProcessEventsDeviceEvents

Keywords

Devices

Operators

letdynamichas_anywhere==andunion

MITRE Techniques

Actions

GitHub