KQL Search

Query Details

HomeAI ToolsDevice Query

Power Shell Defender Exclusion Modification

Query

# *PowerShell Defender Exclusion Modification*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1562.001 | Disable or Modify Tools | https://attack.mitre.org/techniques/T1562/001/ |

#### Description
Detects PowerShell commands that attempt to modify Windows Defender preferences to add exclusions for paths, extensions, or processes. This activity is often indicative of an adversary attempting to disable or bypass security controls. Also seen by XWorm Malware.

#### Risk
Unwanted Changes of Defender Exclusions

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.sambent.com/xworm-malware-evolves-into-ransomware-threat/

## Defender XDR
```KQL
DeviceProcessEvents
| where FileName in ("powershell.exe", "pwsh.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any (
    "Add-MpPreference",
    "Set-MpPreference"
)
| where ProcessCommandLine has_any (
    "-ExclusionPath",
    "-ExclusionExtension",
    "-ExclusionProcess"
)
//Exclude false positives by ProcessCommandLine
| where not(ProcessCommandLine has_any ('-ExclusionPath "\'C:\\Program Files\\JetBrains\\Rider\\r2r"', '"powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionProcess \'C:\\Program Files\\FreeFileSync\\Bin\\*\'"'))
```

Explanation

This query is designed to detect suspicious PowerShell commands that modify Windows Defender settings to add exclusions for specific paths, file extensions, or processes. Such modifications can be a sign of malicious activity, as attackers might try to disable or bypass security measures. The query specifically looks for processes involving PowerShell executables and checks if they include commands like Add-MpPreference or Set-MpPreference with parameters related to exclusions. It also filters out known false positives to reduce noise in the results. This activity is associated with the MITRE ATT&CK technique T1562.001, which involves disabling or modifying security tools.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: October 6, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsPowerShellWindowsDefenderPreferencesExclusionsSecurityControlsXWormMalware

Operators

DeviceProcessEvents|whereinhas_anynot

Actions